Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Offensive Tools

IAM Vulnerable: Identify IAM Misconfigurations

IAM Vulnerable is an open source tool designed to help penetration testers and security practitioners better understand how to identify and exploit common IAM misconfigurations that allow for privilege escalation.

About IAM Vulnerable

Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.

This much-needed tool for the infosec industry fills an industry void and helps practitioners to level up their skills from beginner to expert at their own pace.

IAM Vulnerable uses the Terraform binary and your AWS credentials to deploy over 250 IAM resources into your selected AWS account. Within minutes, you can start learning how to identify and exploit vulnerable IAM configurations that allow for privilege escalation.

Currently supported privilege escalation paths: 31

Bishop Fox Labs researcher Seth Art Headshot

Lead Researcher

Seth Art

Seth Art (OSCP) is a Senior Security Consultant at Bishop Fox, where he currently focuses on penetration testing cloud environments, Kubernetes clusters, and traditional internal networks.

Seth is the author of multiple open-source projects including IAM Vulnerable, Bad Pods, celeryStalk, and PyCodeInjection, has presented at security conferences, including DerbyCon and BSidesDC, published multiple CVEs, and is the founder of IthacaSec, a security meetup in upstate NY.


GitHub: sethsec-bf

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.