AWS Attack Path Scanner
The Bifröst Guardian for Your Cloud Security
Quick Start • Examples • Features • Installation • Commands • Roadmap
Heimdall is an AWS security scanner that discovers privilege escalation paths attackers could exploit to gain admin access.
By the numbers:
- 🎯 50+ IAM privilege escalation patterns detected
- 🔗 85+ attack chain patterns with MITRE ATT&CK mapping
- 🌐 10 AWS services analyzed for cross-service escalation
- ✅ Low false-positive rate - tested on production accounts with 50+ roles
- ⚡ One command to assess your entire security posture
In Norse mythology, Heimdall stands at Bifröst and sees all paths between realms.
In AWS, Heimdall watches your environment and reveals all paths to compromise.
| Feature | Description |
|---|---|
| 🔗 Attack Chain Analysis | Multi-step privilege escalation paths with MITRE ATT&CK mapping |
| 🌐 Cross-Service Scanner | Analyze 10 AWS services (EC2, RDS, S3, Lambda, KMS, Secrets Manager, STS, SNS, SQS, DynamoDB) |
| 🏗️ Terraform Engine ⭐ | Detect IAM attack paths in Terraform plans before deployment |
| 🎨 Interactive TUI | Cosy Nordic-themed terminal interface |
| 📊 One-Command Dashboard | heimdall dashboard - instant security overview |
| 🎯 50+ Privesc Patterns | Comprehensive IAM privilege escalation coverage |
| 📤 CI/CD Ready | SARIF export for GitHub Security, CSV for spreadsheets |
| 🔒 Baseline System | Ignore known/accepted risks with .heimdall-ignore |
🔒 Limited Access - Web UI is currently in private preview.
Interested in a demo? Contact: [email protected]
🖼️ Click to see Web UI Screenshots
Attack Simulator - Interactive privilege escalation visualization
Live Graph - Real-time security posture with auto-refresh
Trust Graph - IAM trust relationship explorer
# 1. Install
pip install -e .
# 2. One-command security overview
heimdall dashboard
# 3. Deep privilege escalation analysis
heimdall iam detect-privesc --profile prodThat's it! You'll see a complete security posture in seconds.
$ heimdall iam scan --profile prod --summary
✓ Scanned 52 IAM roles
✓ Scanned 40 IAM users
✓ Found 55 assume-role relationships
✓ Identified 0 privilege escalation paths
Summary:
Roles: 52
Users: 40
Service principals: 29
Federated principals: 1
Human→Role paths: 1
Risky paths: 0 (Critical: 0, High: 0)
✅ Good security posture detected:
- Admin access via SSO only (federated)
- Minimal user→role permissions
- Service roles properly isolated$ heimdall iam detect-privesc --profile prod
🔐 Heimdall Privilege Escalation Detector
✓ Scanned 52 IAM roles
✓ Scanned 40 IAM users
✓ Detected 14 privilege escalation opportunities
⚠️ Privilege Escalation Opportunities:
CRITICAL (8):
• user/admin-user
Method: passrole_lambda
Create Lambda with privileged role, execute code with elevated permissions
• user/admin-user
Method: attach_user_policy
Attach AdministratorAccess policy to self or other user
HIGH (6):
• user/admin-user
Method: create_policy_version
Modify existing policy to grant admin access$ heimdall iam detect-privesc --include-indirect --max-depth 2
🔗 Indirect Privilege Escalation Paths (Multi-Hop):
CRITICAL:
• user/junior → DevRole → ProdRole
Path length: 2 hops
Target: attach_user_policy (CRITICAL)
• user/contractor → IntegrationRole → DeployerRole → AdminRole
Path length: 3 hops
Target: put_user_policy (CRITICAL)
What's detected:
✓ Devs who can assume roles leading to admin
✓ Contractors with indirect paths through role chains
✓ Hidden escalation paths not obvious from direct permissionsOne command to see everything: IAM stats, privilege escalation risks, and recommendations.
heimdall dashboard --quickNavigate findings, explore attack chains, and drill down into details with keyboard shortcuts.
heimdall iam tuiMulti-step privilege escalation paths with risk scores and quick fix suggestions.
heimdall iam attack-chain --format tree --top 5 --stepsDetect privilege escalation across 10 AWS services (S3, Lambda, EC2, KMS, and more).
heimdall iam cross-service --compact- 50+ Privilege Escalation Patterns - Most comprehensive coverage
- Trust Graph Analysis - Map all AssumeRole relationships
- Multi-Hop Detection - Find indirect escalation paths (A→B→C→Admin)
- 85+ Attack Patterns with MITRE ATT&CK mapping
- Blast Radius Scoring (0-100) - Impact assessment
- Step-by-Step Narratives - How attacks unfold
- 3 Output Formats - Table, JSON, Tree
Analyze privilege escalation across 10 AWS services:
| Service | Checks |
|---|---|
| 🖥️ EC2 | Instance profiles, IMDSv1, public IPs |
| 🛢️ RDS | Public instances, snapshot sharing |
| 🪣 S3 | Public buckets, cross-account, sensitive data |
| ⚡ Lambda | Execution roles, env vars, code injection |
| 🔐 KMS | Key policies, grants, cross-account |
| 🔑 Secrets | Resource policies, rotation status |
| 🔀 STS | Trust policies, cross-account assumptions |
| 📢 SNS | Topic policies, public access |
| 📬 SQS | Queue policies, encryption |
| 🗄️ DynamoDB | Encryption, sensitive tables |
Shift-left security - Detect IAM privilege escalation in Terraform plans before deployment.
# Generate plan JSON
terraform plan -out=plan.tfplan
terraform show -json plan.tfplan > plan.json
# Scan for attack paths
heimdall terraform scan plan.json
heimdall terraform scan plan.json --fail-on critical # CI/CD gateWhat makes it different from tfsec/checkov/trivy?
| Tool | Approach | Focus |
|---|---|---|
| tfsec, checkov, trivy | Static config checks | "Is this bucket encrypted?" |
| Heimdall | Attack path analysis | "Does this IAM change create an escalation path to admin?" |
Key capabilities:
- 45+ IAM attack patterns - PassRole chains, trust policy hijacks, credential creation
- Before/After comparison - Shows security posture change, not just violations
- Multi-hop chain detection - Developer → Lambda Role → Admin
- Cross-service triggers - S3 → Lambda, SNS → Lambda, API Gateway → Lambda
- Risk delta scoring - Quantifies security impact of changes
Example output:
╔═══════════════════════════╤══════════════╤══════════════╤═════════════════╗
║ Metric │ Before │ After │ Change ║
╟───────────────────────────┼──────────────┼──────────────┼─────────────────╢
║ ⚔️ Attack Paths │ 2 │ 7 │ +5 ║
║ 🎯 Risk Score │ 10 │ 60 │ +50 ║
╚═══════════════════════════╧══════════════╧══════════════╧═════════════════╝
⛔ BLOCKING ISSUES:
• CHAIN: 'dev-role' → PassRole → admin role 'prod-admin'
• CRITICAL: Role 'deploy-role' can create credentials (iam:CreateAccessKey)
- Nordic-themed beautiful terminal interface
- Real-time finding exploration
- Keyboard navigation - vim-style bindings
- Live scan progress with logs
- One-command security overview
- Risk scoring (0-100)
- Severity breakdown with visual bars
- Actionable recommendations
- SARIF - GitHub Security Code Scanning
- CSV - Excel/Sheets analysis
- JSON - CI/CD pipelines
- Baseline - Ignore known/accepted risks
- Python 3.9+
- AWS credentials configured (
~/.aws/credentialsor environment)
git clone https://github.com/DenizParlak/heimdall.git
cd heimdall
pip install -e .heimdall doctor
heimdall --versionheimdall dashboard # 🎯 One-command security overview
heimdall dashboard --quick # Skip cross-service (faster)heimdall iam scan # Scan IAM, build trust graph
heimdall iam detect-privesc # Find privilege escalation
heimdall iam detect-privesc --explain # AI-powered explanationsheimdall iam attack-chain # Multi-step attack paths
heimdall iam attack-chain --top 10 # Top 10 chains
heimdall iam cross-service # Cross-service escalation
heimdall iam cross-service --compact # Summary onlyheimdall iam tui # Interactive terminal UI
heimdall iam tui --graph scan.json # Load existing scan# Scan Terraform plan for attack paths
heimdall terraform scan plan.json # Full analysis
heimdall terraform scan plan.json --quick # Skip AWS state fetch
heimdall terraform scan plan.json --json # JSON output
heimdall terraform scan plan.json --fail-on critical # CI/CD gate
# Detailed report
heimdall terraform report plan.json --format markdown# SARIF for GitHub Security
heimdall iam detect-privesc --format sarif -o findings.sarif
# CSV for spreadsheets
heimdall iam detect-privesc --format csv -o findings.csv
# With baseline (ignore known risks)
heimdall iam detect-privesc --baseline .heimdall-ignore
heimdall iam detect-privesc --init-baseline # Create sample fileheimdall quickstart # Interactive setup guide
heimdall doctor # Health check
heimdall aws profiles # List AWS profiles
heimdall completion zsh # Shell completionMinimum permissions for Heimdall to scan your account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:List*",
"iam:Get*",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}For cross-service scanning, add:
{
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketPolicy",
"lambda:ListFunctions",
"lambda:GetFunction",
"ec2:DescribeInstances",
"kms:ListKeys",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}- 50+ IAM privilege escalation patterns
- Attack chain analysis with MITRE mapping
- Cross-service scanner (10 services)
- Interactive TUI
- One-command dashboard
- SARIF/CSV export
- Baseline/ignore system
- Terraform Attack Path Engine ⭐ NEW
- Slack/Teams alerts
- Multi-account organization scanning
- Compliance framework mapping (CIS, PCI-DSS)
- Auto-remediation suggestions
Contributions welcome! Please read CONTRIBUTING.md first.
# Run tests
pytest
# Run linting
ruff check heimdall/MIT License - see LICENSE for details.
Built with:
- Python - 3.9+
- boto3 - AWS SDK for Python
- Click - CLI framework
- Rich - Terminal formatting
- Textual - TUI framework
Guard your cloud like Heimdall guards Bifröst
Made with ❤️ for the AWS security community