SkillAgentSearch skills...

SkyEye

When Your Vision Reaches Beyond IAM Boundary Scope in AWS Cloud

GenerateConvertImprove

Install / Use

/learn @0x7a6b4c/SkyEye
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<a name="readme-top"></a>

<div align="center"> <img src="./assets/SkyEye_logo.svg" alt="Logo" width="400"> <h1 align="center">SkyEye: When Your Vision Reaches Beyond IAM Boundary Scope </h1> <p><strong>The First <ins>Cooperative Multi-Principal</ins> IAM Enumeration Framework for AWS Cloud</strong></p> </div> <div align="center"> <a href="https://github.com/0x7a6b4c/SkyEye"><img src="https://img.shields.io/badge/GitHub-Page-blue?style=for-the-badge&color=5271FF&logo=github&logoColor=white" alt="GitHub Page"></a> <a href="https://doi.org/10.48550/arXiv.2507.21094"><img src="https://img.shields.io/badge/Paper%20on%20Arxiv-000?logoColor=5271FF&logo=arxiv&style=for-the-badge" alt="Paper"></a> <a href="https://doi.org/10.5281/zenodo.15739726"><img src="https://img.shields.io/badge/Paper%20on%20Zenodo-000?logoColor=5271FF&logo=zenodo&style=for-the-badge" alt="Paper"></a> <a href="https://skyeye.gitbook.io/docs"><img src="https://img.shields.io/badge/GitBook-Page-blue?style=for-the-badge&color=5271FF&logo=gitbook&logoColor=white" alt="GitBook Page"></a> <hr> </div>

  • <a href="https://www.blackhat.com/eu-25/arsenal/schedule/index.html#skyeye-when-your-vision-reaches-beyond-iam-boundary-scope-in-the-cloud-48364">Black Hat Europe 2025</a>

  • Authors: <a href="https://www.linkedin.com/in/nguyen-minh-hoang">Minh-Hoang Nguyen</a> & <a href="https://www.linkedin.com/in/to-bao-son-986781203">Bao-Son To</a> & <a href="https://www.linkedin.com/in/ho-anh-minh">Anh-Minh Ho</a>

<hr>

Welcome to SkyEye! SkyEye is a cutting-edge cooperative multi-principal IAM enumeration framework designed specifically for the cloud environment with current support for AWS cloud.

SkyEye is developed with the ultimate goal of re-inventing prior-art IAM enumeration models from the black-box approach, aiming to efficiently minimize false negatives and enhance overall accuracy in discovery.

<span id='features'/>

✨Key Features

  • 🏆 Cross-Principal IAM Enumeration Model (CPIEM) </br>SkyEye equipped with CPIEM, introducing a new concept of cooperative IAM enumeration between multiple principals, re-inventing the approach in enumerating authorization of user principals in AWS. It will correlate simultaneously the sessions of multiple valid AWS credentials to continually expose the complete IAM visibility of each user principal.

  • 📚 Additional IAM Enumeration Mode </br> Apart from the core enumeration models of SkyEye framework, SkyEye integrated the separate-principal and single-principal IAM enumeration mode to demonstrate how CPIEM differs from those.

    • Separate-Principal IAM Enumeration: Multiple-principal IAM enumeration, but without cooperative multi-principal IAM enumeration capability.
    • Single-Principal IAM Enumeration: Only supports single valid AWS credentials. Fuzzing and permissions simulation capability are integrated in this mode only, to avoid a huge amount of time due to a large number of AWS actions.
      • Integrating with Permissions Simulation Capability for User Principal and In-Scope IAM Roles
      • Integrating with Fuzzing Capability

  • 🔑 Transitive Cross-Role Enumeration Model (TCREM) </br>SkyEye equipped with the TCREM, introducing a new methodology in collaborating role's temporary sessions in improving the overall accuracy of IAM vision discovery. TCREM has been seamlessly integrated into all enumeration modes of SkyEye framework.

  • IAM Deep Enumeration Capabilities </br> SkyEye supports a comprehensive enumeration capabilities of IAM entities relevant to user principals involved in the enumeration session. These capabilities have been seamlessly integrated into all enumeration modes of SkyEye framework:

    • Retrieval of In-Scope IAM Groups and In-Scope IAM Roles for User Principals
    • Retrieval of Inline Policies for User Principals
    • Retrieval of Inline Policies for In-Scope IAM Groups
    • Retrieval of Inline Policies for In-Scope IAM Roles
    • Retrieval of Attached Managed Policies for User Principals
    • Retrieval of Attached Managed Policies for In-Scope IAM Groups
    • Retrieval of Attached Managed Policies for In-Scope IAM Roles
    • Versions Fuzzing Algorithm to identify available Policy Versions for Customer-Managed Policy
      • As an alternative solution if principals are lacking of iam:ListPolicyVersions or iam:GetPolicy
    • Alternative Comprehensive Enumeration by iam:GetAccountAuthorizationDetails
    • Inverse Enumeration Approach for Attached Managed Policy by iam:ListEntitiesForPolicy

  • ⚖️ Deep Comparison Model for Policy Documents of Active Version and Historical Versions </br>SkyEye automatically discovers and retrieves the policy documents between DefaultPolicyVersionId and historical verions of customer-managed policy, and utilize its deep comparison model to differentiate the changes between the current version and historical versions. The insight will support the penetration tester to have a deep understanding about the authorizations they can retrieve or lose if they decide to use iam:SetDefaultPolicyVersion to switch the DefaultPolicyVersionId of the Customer-Managed Policy that their in-scope IAM entities were attached to.

  • 🔀 The Mapping with MITRE ATT&CK Matrix - Cloud </br>SkyEye presents the extensible dataset of mapping nearly all AWS actions to MITRE ATT&CK tactics, techniques, and sub-techniques, with detail description about abuse methodology by threat actors, and the sample AWS CLI commands. Our team has completed Stage 2 of the vetting process. If you notice any issues, please open an issue to let us know so we can improve it promptly. </br> 📑 mitre_attack_aws_actions.json

  • 📊 The Integration of Severity-level Classification </br>SkyEye provides the integration of severity-level classification for AWS actions, ranging from Low, Medium, High, and Critical, to those specifically denoted as PrivEsc-Vector, represents a pivotal advancement in threat exposure. </br> 📑 iam_sensitive_operations.json

  • 📇 Logs & Portable Output </br>Real‑time server‑sent logs to understand what SkyEye is doing. The Output format as the JSON files that can be archived or integrated into other platforms.

🚀 Unlock the Future of Cooperative Multi-Principal IAM Enumeration in Cloud. Try 🔥SkyEye🔥 Now!

Watch the video

<div align="center"> <strong>SkyEye Framework - Full Demonstration (Youtube)</strong> </div> <span id='news'/>

🔥 News

<div class="scrollable"> <ul> <li><strong>[2025, 26 June]</strong>: &nbsp;🎉🎉We've released <b>SkyEye!</b>, including framework, proposed models, CLI and platform! Check our <a href="https://doi.org/10.5281/zenodo.15739726">paper</a> for more details.</li> </ul> </div> <span id='table-of-contents'/>

📑 Table of Contents

  • <a href='#features'>✨ Features</a>
  • <a href='#news'>🔥 News</a>
  • <a href='#skyeye-discussion'>☁ The Discussion of SkyEye Framework</a>
  • <a href='#how-to-use'>🔍 How to Use SkyEye</a>
    • <a href='#skyeye-platform'>1. SkyEye Platform</a>
    • <a href='#skyeye-cli'>2. SkyEye CLI</a>
  • <a href='#quick-start'>⚡ Quick Start</a>
    • <a href='#pre-installation'>⚙️ A. Pre-installed Requirements</a>
    • <a href='#installation'>⏳ B. Installation</a>
    • <a href='#quick-tutorial'>🖥️ C. SkyEye Quick Tutorial</a>
  • <a href='#api-reference'>📑 API Reference (FastAPI)</a>
  • <a href='#reproduce'>🔬 How To Reproduce the Results in the Paper</a>
  • <a href='#documentation'>📖 Documentation</a>
  • <a href='#cite'>🌟 Cite</a>
  • <a href='#license'>📄 License</a>
<span id='skyeye-discussion'/>

☁ The Discussion of SkyEye Framework

The original idea of the SkyEye came from the difficulty that occurs with the single-principal IAM enumeration approach. In the enumeration phase of the penetration testing process, penetration testers often gather multiple AWS credentials in the format: AccessKey, SecretKey, Session Token. However, it could only perform separate-principal or single-principal IAM enumeration from each user session, leading to false negatives due to limitation of principal-specific IAM entitlement vision. To resolve this limitation, the Cross-Principal IAM Enumeration Model (CPIEM) was proposed and developed to efficiently perform advanced IAM enumeration across multiple user principals within the AWS Account Id, to complement each user's IAM vision context. By coordinating available sessions of each valid credential simultaneously, it can:

  • Discover hidden permissions
  • Reveal a more accurate and complete IAM policy landscape for each IAM entity
  • Minimize false negatives that typically occur with single-principal IAM enumeration

Instead of depending on the self-access IAM entitlement visibility of single user to reveal its IAM context, and to fully understand what permissions and what resources that the user is allowed to perform and interact with, sometimes leading to false negatives when user could perform some specific permissions to specific resources but could not have the situational awareness on that, the cross-principal IAM enumeration model, which is the core capability of SkyEye framework, is designed to tackle this limitation by involving and correlating simultaneously multiple valid credentials to continually expose the complete IAM visibility of each user principal.

Last but not least, one of core model which differs SkyEye from other prior-art models and frameworks is Transitive Cross-Role Enumeration Model (TCREM).

Each "user" principal might have the permission to assume some specific roles and retrieve the temporary session tokens to act on behalf of those roles. Each "r

0x7a6b4c

View profile

View on GitHub
GitHub Stars45
CategoryDevelopment
Updated1mo ago
Forks2
0x7a6b4c/SkyEye

Languages

Python

Security Score

95/100

Audited on Feb 13, 2026

No findings