cloudsplaining
by salesforce
Cloudsplaining is an AWS IAM security assessment tool that detects least privilege violations and generates risk-prioritized HTML reports.
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
Primary Use Case
Cloudsplaining is used by security professionals and AWS administrators to audit and assess IAM policies for violations of least privilege, helping to identify risky permissions and prioritize remediation efforts. It is especially useful for penetration testers and cloud security teams to detect privilege escalation paths and overly permissive roles in AWS environments.
- Identifies violations of least privilege in AWS IAM policies
- Generates risk-prioritized, easy-to-read HTML reports with triage worksheets
- Scans all IAM policies in an AWS account or individual policy files
- Flags high-risk permissions related to data exfiltration, infrastructure modification, resource exposure, and privilege escalation
- Detects IAM roles assumable by AWS Compute Services that may present elevated risk
- Supports custom exclusions to filter out false positives
- Provides example reports and detailed documentation
Installation
- Ensure Python is installed on your system
- Install Cloudsplaining via pip: pip install cloudsplaining
- Refer to the official documentation on ReadTheDocs for detailed setup and usage
Usage
>_ cloudsplaining scan aws-accountScans all IAM policies in the specified AWS account and generates a risk-prioritized HTML report.
>_ cloudsplaining scan policy-file.jsonScans a single IAM policy file to identify least privilege violations and risks.
>_ cloudsplaining scan --exclusions exclusions.yamlRuns a scan while applying a custom exclusions file to filter out false positives.
- Integrate Cloudsplaining into CI/CD pipelines for continuous IAM policy risk assessment.
- Use Cloudsplaining reports to prioritize remediation efforts based on risk scoring.
- Combine with AWS CloudTrail logs to correlate risky IAM permissions with actual usage patterns.
- Leverage the tool during purple team exercises to simulate and detect privilege escalation paths.
- Customize exclusion filters to reduce false positives and focus on high-impact IAM risks.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about cloudsplaining. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
vaultwarden
dani-garcia/vaultwarden
Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
authelia
authelia/authelia
The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™
keepassxc
keepassxreboot/keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “KeePass Password Safe”.
infisical
Infisical/infisical
Infisical is the open-source platform for secrets, certificates, and privileged access management.
authentik
goauthentik/authentik
The authentication glue you need.
teleport
gravitational/teleport
The easiest, and most secure way to access and protect all of your infrastructure.