// the find
salesforce/cloudsplaining
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
Cloudsplaining scans AWS IAM policies for least-privilege violations and produces a risk-prioritized HTML report. It pulls the full account authorization JSON via `iam:GetAccountAuthorizationDetails` and flags dangerous patterns: data exfiltration, privilege escalation paths, resource exposure, and roles assumable by compute services. Aimed at security engineers and pentesters doing IAM audits, not continuous compliance tooling.
The risk categorization is well-thought-out — separating data exfiltration, privilege escalation, resource exposure, and credentials exposure means findings have actionable remediation paths rather than just a severity number. The exclusions file is a practical concession to reality: some wildcard policies are intentional (Terraform runners, break-glass roles), and the tool gives you a proper mechanism to suppress them rather than forcing you to grep-ignore. Multi-account scanning via STS role assumption is included out of the box, which most similar tools bolt on late or not at all. The JSON output alongside the HTML report means you can pipe results into JIRA automation or custom dashboards without scraping HTML.
The tool only evaluates attached policies, so inline policies on principals that were never attached go unscanned by default — easy to miss if you have legacy stacks that still use inline policies heavily. The privilege escalation path database is baked in as a static JSON file (`pathfinding-paths.json`), so it won't catch new escalation techniques until someone manually updates the repo. There's no watch mode or incremental diff — every run re-downloads and re-scans the full account, which is slow and burns IAM API quota unnecessarily for frequent audits. The HTML report is a Vue SPA bundled into the Python package, which means any UI bug requires a JavaScript rebuild step that most Python security engineers aren't set up for.