Greybox Penetration Testing on Cloud Access Control with IAM Modeling and Deep Reinforcement Learning

Identity and Access Management (IAM) is an access control service in cloud platforms. To securely manage cloud resources, customers are required to configure IAM to specify the access control rules for their cloud organizations. However, IAM misconfiguration may be exploited to perform privilege escalation attacks, which can cause severe economic loss. To detect privilege escalations due to IAM misconfigurations, existing third-party cloud security services apply whitebox penetration testing techniques, which require the access of complete IAM configurations. This requirement might cause problems such as information disclosure and anonymization. To mitigate the limitation, we propose a greybox penetration testing approach called TAC for third-party services to detect IAM privilege escalations, without requiring the access of complete IAM configurations. The idea is to intelligently query a limited amount of information that is only related to IAM privilege escalation detection. Cloud customers are allowed to specify which entities such as users and services (automatically anonymized by TAC) in their IAM configurations can be queried, and also limit the maximum number of queries. To realize the idea, we 1) propose abstract IAM modeling to detect IAM privilege escalations based on the collected partial information; 2) apply Reinforcement Learning (RL) with Graph Neural Networks (GNNs) to learn to make as few queries as possible. To pretrain and evaluate TAC with enough diverse tasks, we propose an IAM privilege escalation task generator called IAMVulGen. Experimental results show that TAC detects IAM privilege escalations with significantly lower false negative rates than baselines with high query efficiency, on both our task set and the only publicly available privilege escalation task set called IAM Vulnerable.