An AWS attack graph tool inspired by BloodHound. Enumerate AWS resources, analyze IAM policies for privilege escalation paths, map trust relationships, and visualize the attack surface through an interactive graph dashboard.
Built for offensive security and assumed breach scenarios — you have access to an AWS account or a set of AWS keys, and you need to understand what you can reach, what you can escalate to, and where the high-value targets are.
This project is in continuous development. Features, parsers, and dashboard capabilities are actively being added.
- IAM — Users (access keys, MFA, console access), roles (trust policies), groups, managed policies (full document content), inline policies, permission boundaries, account password policy
- S3 — Buckets, policies, ACLs, public access blocks, versioning, encryption, tagging, logging, CORS, event notifications
- EC2 — Instances with metadata, instance profiles, security groups, network interfaces, IMDS configuration
- VPC — VPCs, subnets, route tables, internet gateways, NAT gateways, NACLs, VPC endpoints, peering connections
- Security Groups — Rules with associated ENI/instance resources
- EKS / Kubernetes — Clusters, node groups, Fargate profiles, addons + per-cluster K8s API enumeration (namespaces, pods, service accounts, RBAC roles & bindings, secret names, services, ingresses)
- CloudTrail, CloudFront, WAF, Flow Logs
- 20 privilege escalation detection rules — CreatePolicyVersion, PassRole+Lambda, PassRole+EC2, PassRole+CloudFormation, AttachUserPolicy, CreateAccessKey, UpdateAssumeRolePolicy, and more
- 10 dangerous permission rules — Wildcard admin, iam:, s3:, unrestricted PassRole, kms:Decrypt on *, etc.
- Trust policy analysis — Cross-account trust, wildcard principals, service trust
- S3 resource relationships — IAM-to-bucket access (CAN_READ, CAN_WRITE, CAN_ADMIN, FULL_ACCESS), bucket policy grants, public access detection, KMS encryption links, event notification targets
- EC2 compute relationships — Instance-to-role mapping, who can manage/terminate/connect to instances, security group exposure, IMDS vulnerability detection, SG-to-SG references
- Kubernetes relationships — IRSA bridge (ServiceAccount → IAM role via
eks.amazonaws.com/role-arnannotation), pod-to-SA, RBAC bindings, mounted secrets, service/ingress exposure, privileged container findings, cluster-admin detection
- Interactive attack graph powered by Cytoscape.js with Dijkstra shortest path
- Node types — Users, roles, groups, policies, EC2, S3, security groups, KMS keys, Lambda, SQS, SNS, EKS clusters, pods, service accounts, K8s roles, K8s secrets, services, ingresses
- Weighted edges for attack path cost modeling (direct access = 0, PassRole chains = 2, SSRF = 3, cross-account = 4)
- Focus mode — Click a node to isolate it and its relationships
- Owned/compromised marking — Flag nodes you control and find paths from them
- "Discover All Paths" — Auto-find every shortest path from every entity to every high-value target
- Attack path playback — Auto-play through discovered paths with adjustable speed
- Resizable panels, search, layout switching, node/edge filters
- Load reports via
.zipfile (drag & drop or file picker)
--allflag enumerates all enabled regions (auto-discovered viaec2:DescribeRegions)- Global services (IAM, S3, CloudFront) enumerated once; regional services per-region
--zipflag packages reports for easy transport
pipx install git+https://github.com/0xj4f/aws-enumerator.gitOr install locally for development:
git clone https://github.com/0xj4f/aws-enumerator.git
cd aws-enumerator
pip install -e .Then run:
aws-enumerator --region eu-west-2
aws-enumerator --all --zip# With environment variables
docker run --rm \
-e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
-e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN \
-v $(pwd)/reports:/app/reports \
0xj4f/aws-enumerator:latest --region eu-west-2
# With AWS credentials file
docker run --rm \
-v ~/.aws:/root/.aws \
-v $(pwd)/reports:/app/reports \
0xj4f/aws-enumerator:latest --region eu-west-2 --zipgit clone https://github.com/0xj4f/aws-enumerator.git
cd aws-enumerator
pip install boto3
python app/main.py --region eu-west-2aws-enumerator [--region REGION] [--all] [--zip]
| Flag | Description |
|---|---|
--region |
AWS region to enumerate (default: eu-west-2) |
--all |
Enumerate all enabled regions |
--zip |
Create a zip archive of the report |
After enumeration, open the dashboard and load your report:
open dashboard/index.htmlDrop the .zip file onto the dashboard or click "Load Report".
Visualize the hierarchy — see how roles, policies, instances, and buckets connect across the account.
Identify high-connectivity nodes — find roles and entry points with the most relationships and exposure.
Discover attack paths — Dijkstra shortest path from any compromised node to high-value targets.
reports/{date}/{account}/{region}/
iam/ # Users, roles, groups, policies, inline policies, policy documents
s3/ # Buckets, policies, ACLs, encryption, notifications
ec2/ # Instances
vpc/ # VPCs, subnets, route tables, gateways
sg/ # Security groups
eks/ # Clusters, node groups, Fargate profiles, addons
k8s/ # Per-cluster K8s API data (pods, SAs, RBAC, secrets, services, ingresses)
cloudtrail/ # Trails
cloudfront/ # Distributions
waf/ # WebACLs, rule groups, IP sets
flowlogs/ # VPC flow logs
analysis/ # findings.json, permission_map.json, trust_relationships.json,
# s3_relationships.json, ec2_relationships.json,
# k8s_relationships.json, summary.json
manifest.json
reports/{date}/{account}/
global/ # IAM, S3, CloudFront, analysis
us-east-1/ # Regional services
eu-west-2/ # Regional services
...
manifest.json
This tool requires valid AWS credentials. Use any standard method:
# Assume a role
aws sts assume-role \
--role-arn arn:aws:iam::ACCOUNT:role/ROLE_NAME \
--role-session-name enum-session
# Export credentials
eval "$(aws configure export-credentials --format env)"
# Or use SSO
eval "$(aws-sso eval -S profile-name --profile profile-name)"aws-enumerator/
app/
main.py # CLI entry point
components/
iam.py # IAM enumeration (enriched)
s3.py # S3 enumeration
ec2.py # EC2 enumeration
vpc.py # VPC enumeration
sg.py # Security groups
eks.py # EKS clusters, node groups, Fargate, addons
k8s.py # Per-cluster Kubernetes API enumeration
cloudtrail.py # CloudTrail
cloudfront.py # CloudFront
waf.py # WAF
flowlogs.py # Flow logs
policy_parser.py # Policy analysis & relationship engine
utils/
aws_utils.py # Boto3 session helpers
eks_auth.py # STS-based K8s API token generator
regions.json # AWS regions reference
dashboard/
index.html # Attack graph dashboard (single file)
docs/
attack_paths.md # Attack scenarios & path field guide
Dockerfile
pyproject.toml
requirements.txt
LICENSE
- docs/attack_paths.md — Field guide for attack scenarios. Maps starting positions (compromised EC2, pod, leaked keys, etc.) to possible escalation paths, with edge-type translation and dashboard usage tips.
Reminder: The graph and findings show configuration risk and possibility. They are not a substitute for manual validation. Always start by inspecting the highest-connectivity nodes — they tend to sit at choke points where attack paths converge.