Identity and Access Management (IAM) is an access control service in cloud platforms. To securely manage cloud resources, customers are required to configure IAM to specify the access control rules for their cloud organizations. However, incorrectly configuring IAM may be exploited to cause a security attack such as privilege escalation (PE), which can cause severe economic loss. To detect such PEs due to IAM misconfigurations, third-party cloud security services are commonly used. The state-of-the-art services apply whitebox penetration testing techniques, which require the access to complete IAM configurations. However, the configurations can contain sensitive information. To prevent the disclosure of such information, the customers have to put lots of manual efforts for the anonymization. In this paper, we propose a precise greybox penetration testing approach called TAC for third-party services to detect IAM PEs. To mitigate the dual challenges of labor-intensive anonymizations and potentially sensitive information disclosures, TAC interacts with customers by selectively querying only the essential information needed. Our key insight is that only a small fraction of information in the IAM configuration is relevant to the IAM PE detection. We first propose IAM modeling, enabling TAC to detect a broad class of IAM PEs based on the partial information collected from queries. To improve the efficiency and applicability of TAC, we aim to minimize the interactions with customers by applying Reinforcement Learning (RL) with Graph Neural Networks (GNNs), allowing TAC to learn to make as few queries as possible. Experimental results on both our synthesized task set and the only publicly available task set IAM Vulnerable show that, in comparison to state-of-the-art whitebox approaches, TAC detects IAM PEs with competitively low false negative rates, employing a limited number of queries.

翻译：身份与访问管理（IAM）是云平台中的访问控制服务。为安全地管理云资源，客户需要配置IAM以指定其云组织的访问控制规则。然而，IAM配置不当可能被利用引发权限提升等安全攻击，进而造成严重经济损失。为检测因IAM配置错误导致的权限提升问题，通常采用第三方云安全服务。现有先进服务应用白盒渗透测试技术，要求获取完整的IAM配置信息。但配置可能包含敏感数据，客户需投入大量人工进行匿名化处理以防止信息泄露。本文提出一种名为TAC的精确灰盒渗透测试方法，使第三方服务能够检测IAM权限提升威胁。为应对人工匿名化与潜在敏感信息泄露的双重挑战，TAC通过选择性查询仅获取必要信息与客户交互。我们的关键洞察在于：IAM配置中仅小部分信息与权限提升检测相关。首先提出IAM建模，使TAC能基于查询收集的局部信息检测广泛类型的IAM权限提升。为提升TAC的效率和适用性，通过结合图神经网络与强化学习，使TAC自主学习最小化交互查询次数。在合成任务集与公开唯一任务集IAM Vulnerable上的实验表明，与现有白盒方法相比，TAC能以有限查询次数实现具有竞争力的低漏报率检测。