Heimdall
AWS Attack Path Scanner - Discover privilege escalation paths across 10+ AWS services
Install / Use
/learn @DenizParlak/HeimdallREADME
What is Heimdall?
Heimdall is an AWS security scanner that discovers privilege escalation paths attackers could exploit to gain admin access.
By the numbers:
- 🎯 50+ IAM privilege escalation patterns detected
- 🔗 85+ attack chain patterns with MITRE ATT&CK mapping
- 🌐 10 AWS services analyzed for cross-service escalation
- ✅ Low false-positive rate - tested on production accounts with 50+ roles
- ⚡ One command to assess your entire security posture
In Norse mythology, Heimdall stands at Bifröst and sees all paths between realms.
In AWS, Heimdall watches your environment and reveals all paths to compromise.
✨ Key Features
| Feature | Description |
|---------|-------------|
| 🔗 Attack Chain Analysis | Multi-step privilege escalation paths with MITRE ATT&CK mapping |
| 🌐 Cross-Service Scanner | Analyze 10 AWS services (EC2, RDS, S3, Lambda, KMS, Secrets Manager, STS, SNS, SQS, DynamoDB) |
| 🏗️ Terraform Engine ⭐ | Detect IAM attack paths in Terraform plans before deployment |
| 🎨 Interactive TUI | Cosy Nordic-themed terminal interface |
| 📊 One-Command Dashboard | heimdall dashboard - instant security overview |
| 🎯 50+ Privesc Patterns | Comprehensive IAM privilege escalation coverage |
| 📤 CI/CD Ready | SARIF export for GitHub Security, CSV for spreadsheets |
| 🔒 Baseline System | Ignore known/accepted risks with .heimdall-ignore |
🏢 Enterprise Edition (Preview)
<details> <summary><b>🖼️ Click to see Web UI Screenshots</b></summary> <br>🔒 Limited Access - Web UI is currently in private preview.
Interested in a demo? Contact: denizparlak@protonmail.ch
Attack Simulator - Interactive privilege escalation visualization
Live Graph - Real-time security posture with auto-refresh
Trust Graph - IAM trust relationship explorer
🚀 Quick Start
# 1. Install
pip install -e .
# 2. One-command security overview
heimdall dashboard
# 3. Deep privilege escalation analysis
heimdall iam detect-privesc --profile prod
That's it! You'll see a complete security posture in seconds.
🧪 Real World Examples
✅ Well-Configured Account (No False Positives)
$ heimdall iam scan --profile prod --summary
✓ Scanned 52 IAM roles
✓ Scanned 40 IAM users
✓ Found 55 assume-role relationships
✓ Identified 0 privilege escalation paths
Summary:
Roles: 52
Users: 40
Service principals: 29
Federated principals: 1
Human→Role paths: 1
Risky paths: 0 (Critical: 0, High: 0)
✅ Good security posture detected:
- Admin access via SSO only (federated)
- Minimal user→role permissions
- Service roles properly isolated
⚠️ Account with Privilege Escalation Risks
$ heimdall iam detect-privesc --profile prod
🔐 Heimdall Privilege Escalation Detector
✓ Scanned 52 IAM roles
✓ Scanned 40 IAM users
✓ Detected 14 privilege escalation opportunities
⚠️ Privilege Escalation Opportunities:
CRITICAL (8):
• user/admin-user
Method: passrole_lambda
Create Lambda with privileged role, execute code with elevated permissions
• user/admin-user
Method: attach_user_policy
Attach AdministratorAccess policy to self or other user
HIGH (6):
• user/admin-user
Method: create_policy_version
Modify existing policy to grant admin access
🔗 Multi-Hop Attack Path Detection
$ heimdall iam detect-privesc --include-indirect --max-depth 2
🔗 Indirect Privilege Escalation Paths (Multi-Hop):
CRITICAL:
• user/junior → DevRole → ProdRole
Path length: 2 hops
Target: attach_user_policy (CRITICAL)
• user/contractor → IntegrationRole → DeployerRole → AdminRole
Path length: 3 hops
Target: put_user_policy (CRITICAL)
What's detected:
✓ Devs who can assume roles leading to admin
✓ Contractors with indirect paths through role chains
✓ Hidden escalation paths not obvious from direct permissions
📸 Screenshots
📊 Security Dashboard
One command to see everything: IAM stats, privilege escalation risks, and recommendations.
heimdall dashboard --quick
🎨 Interactive TUI
Navigate findings, explore attack chains, and drill down into details with keyboard shortcuts.
heimdall iam tui
🔗 Attack Chain Analysis
Multi-step privilege escalation paths with risk scores and quick fix suggestions.
heimdall iam attack-chain --format tree --top 5 --steps
🌐 Cross-Service Analysis
Detect privilege escalation across 10 AWS services (S3, Lambda, EC2, KMS, and more).
heimdall iam cross-service --compact
⚡ Features
🔍 Core Scanning
- 50+ Privilege Escalation Patterns - Most comprehensive coverage
- Trust Graph Analysis - Map all AssumeRole relationships
- Multi-Hop Detection - Find indirect escalation paths (A→B→C→Admin)
🔗 Attack Chain Analysis
- 85+ Attack Patterns with MITRE ATT&CK mapping
- Blast Radius Scoring (0-100) - Impact assessment
- Step-by-Step Narratives - How attacks unfold
- 3 Output Formats - Table, JSON, Tree
🌐 Cross-Service Engine
Analyze privilege escalation across 10 AWS services:
| Service | Checks | |---------|--------| | 🖥️ EC2 | Instance profiles, IMDSv1, public IPs | | 🛢️ RDS | Public instances, snapshot sharing | | 🪣 S3 | Public buckets, cross-account, sensitive data | | ⚡ Lambda | Execution roles, env vars, code injection | | 🔐 KMS | Key policies, grants, cross-account | | 🔑 Secrets | Resource policies, rotation status | | 🔀 STS | Trust policies, cross-account assumptions | | 📢 SNS | Topic policies, public access | | 📬 SQS | Queue policies, encryption | | 🗄️ DynamoDB | Encryption, sensitive tables |
🏗️ Terraform Attack Path Engine
Shift-left security - Detect IAM privilege escalation in Terraform plans before deployment.
# Generate plan JSON
terraform plan -out=plan.tfplan
terraform show -json plan.tfplan > plan.json
# Scan for attack paths
heimdall terraform scan plan.json
heimdall terraform scan plan.json --fail-on critical # CI/CD gate
What makes it different from tfsec/checkov/trivy?
| Tool | Approach | Focus | |------|----------|-------| | tfsec, checkov, trivy | Static config checks | "Is this bucket encrypted?" | | Heimdall | Attack path analysis | "Does this IAM change create an escalation path to admin?" |
Key capabilities:
- 45+ IAM attack patterns - PassRole chains, trust policy hijacks, credential creation
- Before/After comparison - Shows security posture change, not just violations
- Multi-hop chain detection - Developer → Lambda Role → Admin
- Cross-service triggers - S3 → Lambda, SNS → Lambda, API Gateway → Lambda
- Risk delta scoring - Quantifies security impact of changes
Example output:
╔═══════════════════════════╤══════════════╤══════════════╤═════════════════╗
║ Metric │ Before │ After │ Change ║
╟───────────────────────────┼──────────────┼──────────────┼─────────────────╢
║ ⚔️ Attack Paths │ 2 │ 7 │ +5 ║
║ 🎯 Risk Score │ 10 │ 60 │ +50 ║
╚═══════════════════════════╧══════════════╧══════════════╧═════════════════╝
⛔ BLOCKING ISSUES:
• CHAIN: 'dev-role' → PassRole → admin role 'prod-admin'
• CRITICAL: Role 'deploy-role' can create credentials (iam:CreateAccessKey)
🎨 Interactive TUI
- Nordic-themed beautiful terminal interface
- Real-time finding exploration
- Keyboard navigation - vim-style bindings
- Live scan progress with logs
📊 Dashboard
- One-command security overview
- Risk scoring (0-100)
- Severity breakdown with visual bars
- Actionable recommendations
📤 Export & Integration
- SARIF - GitHub Security Code Scanning
- CSV - Excel/Sheets analysis
- JSON - CI/CD pipelines
- Baseline - Ignore known/accepted risks
📦 Installation
Requirements
- Python 3.9+
- AWS credentials configured (
~/.aws/credentialsor environment)
Install from Source
git clone https://github.com/DenizParlak/heimdall.git
cd heimdall
pip install -e .
Verify Installation
heimdall doctor
heimdall --version
🔧 Commands
Quick Overview
heimdall dashboard # 🎯 One-command security overview
heimdall dashboard --quick # Skip cross-service (faster)
IAM Scanning
heimdall iam scan # Scan IAM, build trust graph
heimdall iam detect-privesc # Find privilege escalation
heimdall iam de
