Thank you for your interest in contributing to pathfinding.cloud! This project aims to be a comprehensive source of AWS IAM privilege escalation paths, and every contribution helps - from rough ideas to fully documented paths.
We've designed multiple ways to contribute based on how much time and detail you have. Choose the option that works best for you:
| Option | Effort | What You Provide | What We Do |
|---|---|---|---|
| Option 1: Share an idea | Lowest | Description of the attack | Everything else |
| Option 2: Submit a draft | Medium | Core fields (ID, name, permissions, description) | Any missing sections |
| Option 3: Use Claude Code, and our workflow [RECOMMENDED] |
Medium | You direct our Claude workflow | Review and merge |
| Option 4: Submit a complete path | Higher | All required fields manually | Review and merge |
Don't have time to write YAML? Just tell us about it!
Open a New Path Idea issue and describe:
- What permissions are involved
- How the attack works
- Where you learned about it (optional)
We'll investigate, validate, and build out the full documentation. Your contribution will be credited in the path's attribution.
This is perfect when you:
- Found something interesting but don't have time to document it
- Aren't comfortable with Git/YAML
- Aren't sure if the path is valid or novel
Have some details but not everything? Submit what you know!
Draft submissions let you contribute the core information while we handle the rest (exploitation steps, visualization, detection tools, etc.).
| Field | Description |
|---|---|
status |
Must be draft |
id |
Unique identifier (e.g., lambda-007) |
name |
Permission syntax (e.g., iam:PassRole + lambda:CreateFunction) |
category |
One of: self-escalation, principal-access, new-passrole, credential-access, existing-passrole |
services |
AWS services involved (e.g., [iam, lambda]) |
permissions.required |
List of required permissions with resource constraints |
description |
How the escalation works |
-
Copy the draft template:
cp data/example-path-draft.yaml data/paths/{service}/{service}-{number}.yaml -
Fill in the required fields (see template for guidance)
-
Add any optional fields you know (uncomment and fill in)
-
Validate your file:
python scripts/validate-schema.py data/paths/{service}/{service}-{number}.yaml -
Submit your PR - our CI will validate, and we'll enhance it from there
status: draft
id: lambda-007
name: iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction
category: new-passrole
services:
- iam
- lambda
permissions:
required:
- permission: iam:PassRole
resourceConstraints: Must be able to pass a role that trusts lambda.amazonaws.com
- permission: lambda:CreateFunction
resourceConstraints: Must be able to create Lambda functions
- permission: lambda:InvokeFunction
resourceConstraints: Must be able to invoke the created function
description: A principal with `iam:PassRole`, `lambda:CreateFunction`, and `lambda:InvokeFunction` can create a Lambda function with an attached privileged role, then invoke it to execute code as that role and retrieve temporary credentials.
# Optional: Add more if you have it!
# prerequisites:
# admin:
# - A role must exist that trusts lambda.amazonaws.com
# - The role must have administrative permissionsThis project includes a custom Claude Code slash command and specialized sub-agents that automate most of the path creation process. You guide the AI, review the output, and submit the PR.
We've built custom tooling specifically for this project:
- Orchestrator workflow (
/workflows:orchestrator) - Coordinates the entire path creation process - Specialized sub-agents:
add-vis- Creates interactive attack visualizationsattribution- Researches and adds discoverer informationdetection-tools- Finds which OSS tools detect this pathlearning-environments- Locates practice labs and CTF environments
-
Install Claude Code from claude.ai/code
-
Clone the repository:
git clone https://github.com/DataDog/pathfinding.cloud.git cd pathfinding.cloud -
Start Claude Code in the repository directory
-
Run the orchestrator:
/workflows:orchestrator -
Follow the prompts - The orchestrator will:
- Ask you about the attack path
- Build the base YAML file
- Automatically run all enrichment sub-agents in parallel
- Validate the final file
Example workflow run:
> /workflows:orchestrator
⎿ Read SCHEMA.md (974 lines)
⎿ Read .claude/CLAUDE.md (349 lines)
⎿ Read CLAUDE.md (350 lines)
⏺ I'm ready to help you create a new attack path for pathfinding.cloud!
To get started, please tell me about the attack path you'd like to document. You can either:
1. Point me to a pathfinding-labs scenario:
~/Documents/projects/pathfinding-labs/modules/scenarios/...
2. Describe the attack path directly:
- What AWS permissions are involved?
- How does the escalation work?
- What services are involved?
- Any references or sources where you learned about it?
What would you like to create?
───────────────────────────────────────────────────────────────────────────────────────────────────
Your prompt could be:
❯ Can you create a path for me based on iam:passrole and lambda:createfunction and lambda:invokefunction?
The way this works is that a user who has these permissions can create a lambda function with malicious code,
and then pass a role to that function that trusts the lambda service. Then the attacker can invoke the
function. There are a few different payload options: The lambda can send the credentials to an attacker
remote listener or webhook type site. the lambda can also just simply print the session credentials as lambda
output for the user. You can use this resource as supporting info: [resource]
Another prompt could be:
Can you create a pathfinding.cloud path for the privesc described in this blog post: [insert_link]
- Review and submit your PR
- Description of the attack mechanism
- AWS services and permissions involved
- Any references or sources you have
- Proper YAML formatting and field ordering
- Exploitation step commands
- Attack visualization diagrams
- Detection tool research
- Learning environment discovery
- Attribution research
Great for:
- Contributors who want a complete path without manual YAML editing
- Creating multiple paths efficiently
- Ensuring consistent formatting across contributions
Prefer to do it manually? Or using an agent other than Claude Code? That's fine by us! Submit a complete path for fastest review!
Complete submissions include all required fields and pass full validation. This is the traditional contribution method.
All draft fields plus:
| Field | Description |
|---|---|
exploitationSteps |
Step-by-step commands (at minimum, awscli steps) |
recommendation |
Prevention and detection strategies |
discoveryAttribution |
Who discovered this technique |
-
Copy the complete template:
cp data/example-path-complete.yaml data/paths/{service}/{service}-{number}.yaml -
Fill in all required fields (see SCHEMA.md for details)
-
Validate your file:
python scripts/validate-schema.py data/paths/{service}/{service}-{number}.yaml -
Submit your PR
Complete paths can also include:
attackVisualization- Interactive attack flow diagramdetectionTools- Links to OSS tools that detect this pathlearningEnvironments- Practice labs and CTF environmentsreferences- Blog posts, papers, documentation
Don't worry if you don't have these - we can add them!
- Format:
{service}-{number}(e.g.,iam-001,lambda-007) - Number must be exactly 3 digits
- For PassRole paths, use the service of the resource being created:
iam:PassRole + ec2:RunInstances→ec2-001iam:PassRole + lambda:CreateFunction→lambda-001
ls data/paths/{service}/ | sort | tail -n 1| Category | Description |
|---|---|
self-escalation |
Modify own permissions directly |
principal-access |
Gain access to other principals (users/roles) |
new-passrole |
Escalate via creating resources + PassRole |
credential-access |
Access or extract credentials |
existing-passrole |
Modify existing resources to gain elevated access |
- Use AWS IAM permission syntax
- Spaces around
+:iam:PassRole + ec2:RunInstances(notiam:PassRole+ec2:RunInstances)
See SCHEMA.md for complete field definitions, validation rules, and examples.
# Install dependencies (first time only)
pip install -r requirements.txt
# Validate a single file
python scripts/validate-schema.py data/paths/{service}/{service}-{number}.yaml
# Validate all files
python scripts/validate-schema.py data/paths/- Drafts (
status: draft): Only core fields are required - Complete (no status field): All required fields must be present
Our CI automatically validates PRs and allows drafts. When merging to main, we ensure all paths are complete.
Add {service}-{number}: {name}- For new pathsUpdate {service}-{number}: {description}- For updatesFix {service}-{number}: {description}- For corrections
Include:
- Brief description of the path
- Where you learned about it (if applicable)
- Any testing performed
- Automated validation runs on all PRs
- Maintainers review for accuracy and completeness
- For drafts: maintainers will enhance before merging
- Once merged, the website automatically rebuilds
Beyond new paths, we welcome:
- Path variations - Document nuances of existing paths
- Corrections - Fix errors in existing documentation
- Detection tools - Add links to tools that detect paths
- Learning environments - Add links to practice labs
- Website improvements - Enhance the UI or functionality
- Be respectful and professional
- Focus on improving AWS security knowledge
- Credit original researchers appropriately
- Do not submit malicious content
- Issues: Open an issue
- Discussions: Use GitHub Discussions for questions
- Schema questions: See SCHEMA.md
Thank you for contributing to pathfinding.cloud!