PathShield - AWS Cloud Privilege Escalation Attack Path Scanner
PathShield/
├── pathshield/ # Main Python package
│ ├── __init__.py # Package initialization
│ ├── main.py # CLI entry point (Click-based)
│ ├── config.py # Configuration management (Pydantic)
│ ├── logger.py # Logging setup (Rich)
│ ├── exceptions.py # Custom exceptions hierarchy
│ ├── aws/
│ │ ├── __init__.py # AWS module exports
│ │ └── session.py # AWS session + rate limiting
│ ├── iam/
│ │ ├── __init__.py # IAM module exports
│ │ └── analyzer.py # IAM graph + escalation detection
│ ├── services/
│ │ ├── __init__.py # Services module exports
│ │ ├── base.py # Base plugin interface
│ │ └── ec2.py # EC2 escalation plugin
│ ├── output/
│ │ ├── __init__.py # Output module exports
│ │ └── base.py # Output formatters (CLI, JSON, SARIF, HTML)
│ └── cicd/
│ ├── __init__.py # CI/CD module exports
│ └── integration.py # Terraform, CloudFormation, GitHub Actions
├── tests/
│ ├── __init__.py
│ └── test_pathshield.py # Unit tests (pytest)
├── config.yaml # Configuration file
├── pyproject.toml # Project metadata & dependencies
├── requirements.txt # Core dependencies
├── README.md # Comprehensive documentation
└── .gitignore # Git ignore rules
PathShieldException- Base exception classAWSException- AWS API related exceptionsThrottlingException- AWS API throttling with retryAuthenticationException- AWS authentication failuresAuthorizationException- AWS authorization denialsConfigurationException- Configuration errorsAnalysisException- Analysis/scanning errors
- AWS configuration (profile, region, role ARN, MFA)
- Logging configuration (level, format, file)
- Output configuration (format, verbose)
- Analysis configuration (services, depth, metadata)
- Environment variable overrides
- Configuration file loading
- Boto3 session handling with profile support
- Role assumption support
- Automatic credential refresh
- Rate limiting with exponential backoff
- Error handling for API calls
- Graph-based IAM relationship mapping
- Trust relationship analysis
- Permission boundary evaluation
- Privilege escalation path detection
- BFS-based path finding algorithm
- Severity calculation
- Base plugin interface (
BaseServicePlugin) - EC2 service plugin for:
- Instance profile privilege escalation
- PassRole detection
- Extensible architecture for new services
- CLI - Rich console output with colors
- JSON - Structured JSON output
- SARIF - Standard format for CI/CD
- HTML - Interactive dashboard
- Terraform plan parser
- CloudFormation template analyzer
- GitHub Actions workflow generator
- LocalStack integration for testing
# From PyPI
pip install pathshield
# From source
pip install -e ".[dev]"pathshield scan --region us-east-1pathshield scan --terraform tfplan.json --format sarif --output results.sarif# config.yaml
aws:
profile: "default"
region: "us-east-1"
logging:
level: "INFO"
output:
format: "cli"# Run all tests
pytest tests/ -v --cov=pathshield
# Run specific tests
pytest tests/test_pathshield.py -v- Install dependencies:
pip install -e ".[dev]" - Run tests:
pytest tests/ -v - Build Docker image:
docker build -t pathshield . - Execute scan:
pathshield scan --region us-east-1
boto3- AWS SDKclick- CLI frameworkrich- Terminal outputpyyaml- Configurationpydantic- Data validationnetworkx- Graph analysisjinja2- HTML templating
pytest- Testingblack- Code formattingflake8- Lintingmypy- Type checking
- Current: 0.1.0
- Python: 3.9+
- License: MIT