IAMhounddog is an open-source tool from Virtue Security that maps Identity and Access Management (IAM) principals, roles, policies, and resource relationships in AWS accounts to reveal second-order privilege escalation opportunities. Second-order escalation refers to a scenario where a low-privilege principal can chain legitimate actions across services to reach a high-privilege target without requiring direct first-order permissions. IAMhounddog produces an OpenGraph-compatible export suitable for ingestion into BloodHound, allowing operators to visualize and query privilege paths at scale.

Why this matters now

Cloud identity is widely distributed, and resource relationships frequently create complex attack paths that are not visible from single-policy inspection. Tools that produce relationship graphs accelerate the discovery of escalation chains such as PassRole abuse, modifiable functions with privileged roles, or resource-bound roles that can be leveraged indirectly. For red teams and cloud recon operators, this significantly reduces manual mapping time, enabling the identification of high-value targets and attack paths more quickly.

Features

• Collects IAM principals, attached and inline policies, trust relationships, and linked resource roles across services commonly involved in escalation,n such as Lambda, EC2, ECS, RDS, CloudFormation, and CodeBuild.
• Emits OpenGraph-compatible exports for ingestion into BloodHound and compatible graph tooling.
• Supports collection via environment credentials or named AWS profiles; requires a read-level principal such as SecurityAudit or ReadOnlyAccess for comprehensive mapping.
• Includes helpers to import bundled queries into BloodHound and optional integration steps for local visualisation.

Installation

The repository provides a simple Go install as documented in the project README. Verbatim install command:

Usage

IAMhounddog is module-oriented and the README describes the typical collection and import workflow. Verbatim usage guidance from the README:

Note: the repository README does not include a full --help dump. To document exact CLI flags and automation-friendly examples, run the installed binary locally with -h or --help and paste the output verbatim into your publishing copy.

Hands-on walkthrough

Collection and graph generation workflow (concise operator steps):

• Prepare credentials: ensure the principal used for collection has read-level permissions (for example, SecurityAudit or ReadOnlyAccess) and set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY or use a named profile.
• Run collection: execute IAMhounddog to enumerate principals, roles, inline and attached policies, and resource role links. The tool writes an OpenGraph JSON export.
• Import to BloodHound: open BloodHound, go to Administration > File Ingest and import the JSON file. The graph will show principals, roles, and resource relationships that can be queried for pathfinding.
• Analyse: run path and shortest-path style queries to surface chains from low-privilege principals to high-value roles such as Administrator or OrganizationAccountAccessRole.

Example escalation path

Practical escalation example summarised into steps:

• Initial foothold: an operator possesses credentials for a user in a developer group or a principal with modify permissions on Lambda functions.
• Mapping: IAMhounddog reveals a Lambda function whose execution role grants broad privileges, indicating that the developer group can update the function code.
• Plan: chain identified as Developer principal → Update Lambda function → Lambda execution role with elevated privileges → execute privileged actions.
• Execution: operator updates the function to include a short task that performs the needed privileged action or exfiltrates secrets, then triggers the function.
• Operational cautions: minimize noisy API calls, perform actions in test accounts whenever possible, and remove artifacts after validation.

Red team relevance and trade-offs

IAMhounddog streamlines the discovery of chained privilege escalation paths that are otherwise time-consuming to assemble manually. The trade-offs include the need for a read-privileged principal to collect a comprehensive graph and the risk of false positives from graph edges that are not exploitable due to contextual runtime controls. Treat graph results as hypotheses to validate with resource-level checks before attempting exploitation.

Detection and remediation

Detection guidance

• Alert on modification events for resources that can contain code or role bindings, such as Lambda, CloudFormation, and CodeBuild.
• Monitor policy changes that are introduced. iam:PassRole, iam:PutRolePolicy or wildcard actions attached to roles or groups.
• Log and review API calls that assign or modify execution roles and cross-account trust relationships.

Remediation guidance

• Apply least privilege and avoid granting broad service-level administrative policies to developer groups without compensating controls.
• Harden deployment pipelines with signing and gated approvals for production-modifying operations.
• Use resource conditions and session policies to restrict the actions that roles can perform, even if they are attached to resources.

Integration with existing tooling

IAMhounddog outputs OpenGraph schema data compatible with BloodHound for visual analysis. Where teams already use graph-driven path analysis for Active Directory, this provides a consistent model for cloud IAM pathfinding and hunting. Consider combining IAMhounddog exports with runtime telemetry and CloudTrail analysis to prioritise high-confidence, exploitable paths.

Conclusion

IAMhounddog is a practical mapping tool that converts IAM and resource relationships into queryable graph data, surfacing second-order privilege escalation opportunities. For red teams and cloud recon operators, it reduces manual effort and fits naturally into BloodHound-centric analytical workflows. Before publishing automation or sample commands, capture the tool’s local --help output to document exact flags for scripting.

You can read more or download IAMhounddog here: https://github.com/VirtueSecurity/IAMhounddog