Permission Graph Analysis of IAM Escalation Chains in 47 Production AWS Accounts

We performed permission graph analysis on 47 production AWS accounts encountered during cloud penetration testing engagements between January 2024 and December 2025. For each account, we enumerated the effective permissions of every principal (user, role, instance profile, federated identity) and constructed a directed graph in which an edge from principal A to principal B indicates that A can escalate to B's privilege level via at least one documented technique.

The headline finding is that 41 of 47 accounts (87%) contained at least one viable escalation path from a starting principal that any developer or service account in the organization could plausibly compromise, to a destination principal with administrative or near-administrative privilege. The median chain length was 3 hops; the longest viable chain we documented was 7 hops, traversing iam:PassRole, Lambda code update, CodeBuild project execution, and finally a CloudFormation stack with an over-permissioned execution role.

We characterize the eight most common escalation primitives observed in the dataset and report their frequency. The top three — iam:PassRole misconfiguration, Lambda execution role escalation, and CloudFormation drift — together account for 71% of viable escalation paths. We argue that these are not novel findings; they have been documented in security literature for at least five years. Their persistence in production accounts reflects the gap between point-in-time policy review and continuous graph analysis.

We propose a continuous monitoring approach based on graph-diff alerting, in which any change to the effective permission graph is treated as a security event and surfaced for review. Implementation details and a reference implementation are provided in the appendix.