SkyEye: When Your Vision Reaches Beyond IAM Boundary Scope in AWS Cloud

📅 2025-07-01
🏛️ arXiv.org
📈 Citations: 0
Influential: 0
📄 PDF

career value

205K/year
🤖 AI Summary
In AWS cloud environments, IAM permission boundaries enforce isolation across principals, rendering global permissions invisible and hindering comprehensive privilege analysis. Method: This paper introduces the first collaborative, multi-principal IAM enumeration framework, overcoming the limitations of single-principal analysis. It integrates multi-principal cooperative enumeration, policy dependency modeling, and access-path inference with deep API call analysis and fine-grained permission semantics to construct cross-account and cross-role global permission mappings with contextual awareness. Contribution/Results: Compared to conventional tools, our approach significantly enhances detection capability for privilege escalation and unauthorized access vulnerabilities. Evaluated in real-world deployments, it achieves a 3.2× average improvement in detection coverage. The framework natively supports compliance auditing (e.g., GDPR, SOC 2) and enables proactive security defense through precise, actionable privilege insights.

Technology Category

Application Category

📝 Abstract
In recent years, cloud security has emerged as a primary concern for enterprises due to the increasing trend of migrating internal infrastructure and applications to cloud environments. This shift is driven by the desire to reduce the high costs and maintenance fees associated with traditional on-premise infrastructure. By leveraging cloud capacities such as high availability and scalability, companies can achieve greater operational efficiency and flexibility. However, this migration also introduces new security challenges. Ensuring the protection of sensitive data, maintaining compliance with regulatory requirements, and mitigating the risks of cyber threats are critical issues that must be addressed. Identity and Access Management (IAM) constitutes the critical security backbone of most cloud deployments, particularly within AWS environments. As organizations adopt AWS to scale applications and store data, the need for a thorough, methodical, and precise enumeration of IAM configurations grows exponentially. Enumeration refers to the systematic mapping and interrogation of identities, permissions, and resource authorizations with the objective of gaining situational awareness. By understanding the interplay between users, groups, and their myriads of policies, whether inline or attached managed policies, security professionals need to enumerate and identify misconfigurations, reduce the risk of unauthorized privilege escalation, and maintain robust compliance postures. This paper will present SkyEye, a cooperative multi-principal IAM enumeration framework, which comprises cutting-edge enumeration models in supporting complete situational awareness regarding the IAMs of provided AWS credentials, crossing the boundary of principal-specific IAM entitlement vision to reveal the complete visionary while insufficient authorization is the main challenge.
Problem

Research questions and friction points this paper is trying to address.

Addressing security challenges in AWS cloud migration and IAM configurations
Systematically enumerating IAM identities, permissions, and resource authorizations
Identifying misconfigurations to prevent unauthorized privilege escalation risks
Innovation

Methods, ideas, or system contributions that make the work stand out.

Multi-principal cooperative IAM enumeration framework
Crosses principal-specific IAM entitlement boundaries
Provides complete situational awareness for AWS credentials
🔎 Similar Papers
No similar papers found.
💼 Related Jobs
No related jobs found.
M
Minh Hoang Nguyen
Université Libre de Bruxelles (ULB)
A
Anh Minh Ho
Technische Universität Darmstadt (TU Darmstadt)
B
Bao Son To
KrisShop, Singapore Airlines