Detecting Multi-Step IAM Attacks in AWS Environments via Model Checking

Ilia Shevrin, Oded Margalit

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


Cloud services enjoy a surging popularity among IT professionals, owing to their rapid provision of virtual infrastructure on demand. Hand-in-hand with the growing usage, there is also a growing concern about potential security vulnerabilities arising from misconfigurations, exposing resources or allowing malicious actors to escalate privileges. Model checking is a known method for verifying that a finite-state Boolean model of a system satisfies certain properties, where the model and the properties are described in formal logic. In case it doesn't, a finite trace leading to a violating state can be generated. In this paper, we present an approach to construct a finitestate Boolean model from the Identity and Access Management (IAM) component of Amazon Web Services (AWS), and a property from an attack target, e.g., read a classified S3 bucket object. We run a model checker that detects whether some initial setup allows an attacker to escalate privileges and reach the target in one or more steps by applying IAM manipulating actions. We show that our approach can discover existing misconfigurations in real AWS environments, and that it can detect multi-step attacks in setups containing tens of AWS accounts with hundreds of resources in under a minute.

Original languageEnglish
Title of host publication32nd USENIX Security Symposium, USENIX Security 2023
PublisherUSENIX Association
Number of pages18
ISBN (Electronic)9781713879497
StatePublished - 1 Jan 2023
Event32nd USENIX Security Symposium, USENIX Security 2023 - Anaheim, United States
Duration: 9 Aug 202311 Aug 2023

Publication series

Name32nd USENIX Security Symposium, USENIX Security 2023


Conference32nd USENIX Security Symposium, USENIX Security 2023
Country/TerritoryUnited States

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Detecting Multi-Step IAM Attacks in AWS Environments via Model Checking'. Together they form a unique fingerprint.

Cite this