AWS securityhub documentation change
Summary
Added section explaining Impact trait and effective permissions analysis for assessing blast radius through privilege escalation paths
Security assessment
Documents security analysis capabilities (effective permissions evaluation and attack path tracing) that help identify potential privilege escalation risks, but does not indicate a specific security vulnerability being patched
Diff
diff --git a/securityhub/latest/userguide/exposure-findings-supported-traits.md b/securityhub/latest/userguide/exposure-findings-supported-traits.md index 072f320e1..9562ba7a2 100644 --- a//securityhub/latest/userguide/exposure-findings-supported-traits.md +++ b//securityhub/latest/userguide/exposure-findings-supported-traits.md @@ -6,0 +7,2 @@ +Impact and effective permissions + @@ -13,0 +16 @@ Assumability | Indicates a resource with vended AWS Identity and Access Manage +Impact | Indicates the potential blast radius if the resource is compromised, based on the effective permissions of associated AWS Identity and Access Management principals, including the ability to create and modify resources | Effective permissions analysis of associated AWS Identity and Access Management principals | AWS resources with associated AWS Identity and Access Management identities @@ -20,0 +24,8 @@ Each trait can be associated with multiple titles that provide details about the +## Impact and effective permissions + +The **Impact** trait describes the potential blast radius of an exposure — the downstream resources an attacker could reach and compromise if the primary resource in the exposure finding is compromised. To determine impact, Security Hub analyzes the _effective permissions_ of the AWS Identity and Access Management (IAM) principals associated with the resource. + +**Effective permissions** are the permissions a principal actually has after Security Hub evaluates its identity-based policies together with the resource-based policies of the resources it can access. Because effective permissions account for both what a principal is granted and what target resources allow, they more accurately reflect the actions a principal can perform than the identity-based policies alone. + +Using effective permissions, Security Hub traces the privilege escalation paths from the primary resource to other resources in your environment. Each path is a chain of resources connected by the permissions that allow an attacker to move from one resource to the next. When Security Hub identifies a concrete path to an existing resource, it surfaces that path as part of the **Impact** trait. Impact also accounts for permissions beyond these paths, such as the ability to invoke AWS services that can create or modify other resources. You can review these paths in the potential attack path graph and reduce your blast radius by removing unnecessary permissions. For more information, see [Viewing exposures in Security Hub with the potential attack path graph](./potential-attack-path-graph.html). +