IAM

Role trust chain analysis, privilege escalation path detection, access key hygiene, and CloudTrail/Azure Activity Log event queries.

What it covers

Skill	What it detects	Output
IAM role trust chain analysis	Cross-account assume-role paths, overly permissive trust policies	Finding
Privilege escalation detection	IAM paths that allow a lower-privileged user to gain admin	Finding
Access key audit	Keys older than 90 days, unused keys, root access keys	Finding
MFA compliance	Users without MFA enabled, console users lacking MFA	Finding
IAM security audit	Comprehensive sweep: policies, roles, groups, inline policies	Report
CloudTrail event query	Who performed an action, when, from where	Audit event report
Azure Activity Log query	Azure equivalent — who-did-what-when for any subscription	Audit event report

Example prompts

Are there any IAM users without MFA enabled?

Which IAM roles can be assumed from outside my organisation?

Show me all access keys that haven't been used in 90 days

Who deleted the S3 bucket prod-backups last Tuesday?

Can any user in account 123456789012 escalate to admin?

What actions did user arn:aws:iam::123456789012:user/alice perform yesterday?

Privilege escalation detection

Escher detects escalation paths by traversing the IAM graph — starting from a principal and finding any combination of permissions that could result in gaining more privileges:

Example escalation path detected:
  User: developer-01
  Has: iam:AttachUserPolicy (on own user)
  Can attach: AdministratorAccess policy to self
  Result: Full admin access
  Severity: CRITICAL

Common escalation patterns detected:

iam:CreateAccessKey on other users
iam:AttachUserPolicy / iam:PutUserPolicy
iam:PassRole + ec2:RunInstances (launch with admin role)
lambda:CreateFunction + iam:PassRole
sts:AssumeRole to roles with broader permissions

CloudTrail event queries

The IAM agent can query CloudTrail for historical events:

Who made changes to security group sg-0abc123 in the last 7 days?

CloudTrail query: sg-0abc123, last 7 days
─────────────────────────────────────────
2026-05-03 14:22 UTC  alice@company.com
  AuthorizeSecurityGroupIngress
  Port 22, CIDR 0.0.0.0/0 ADDED
  Source IP: 203.0.113.42

2026-05-04 09:15 UTC  automated-deploy-role
  RevokeSecurityGroupIngress
  Port 22, CIDR 10.0.0.0/8 REMOVED

Required permissions

AWS

json

"iam:GenerateCredentialReport",
"iam:GetCredentialReport",
"iam:ListUsers",
"iam:ListRoles",
"iam:ListPolicies",
"iam:GetUser",
"iam:GetRole",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListUserPolicies",
"iam:ListRolePolicies",
"iam:GetUserPolicy",
"iam:GetRolePolicy",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"cloudtrail:LookupEvents",
"cloudtrail:DescribeTrails"

Next steps

Compliance Ops — IAM findings feed SOC 2 CC6 controls
SecOps — Network exposure analysis
AWS Connection — Full IAM policy for Escher

IAM ​

What it covers ​

Example prompts ​

Privilege escalation detection ​

CloudTrail event queries ​

Required permissions ​

AWS ​

Next steps ​