Attack Path Categories

The following list details the categories of attack paths that Panoptica identifies.

  • Administrator access compromise - which includes any risk to an identity with admin access (AdministratorAccess policy / actions: + resource: ).
  • Data exposure - includes any risk to high permissions (other than admin) on storage resources.
  • Privilege escalation - includes any risk to high permissions (other than admin) on other resources (not storage).
  • Neglected resource - an attacker with access to a group can expose and exfiltrate protected data in the account by using the attached risky data permissions.
  • Subdomain takeover - an attacker can take over a subdomain. If an attacker takes over the domain, they can potentially read cookies, perform cross-site scripting, serve malicious content, and more.
  • Vulnerable public workload - an attacker with network access to an unencrypted resource can gain full access to the resource and its permissions
  • Cross-account - An attacker with access to another account can lead to resource compromise.
    Unlike other categories, an attack path can be in the cross-account category AND another category - meaning that some Attack Paths will have two categories. The display name in this case will be: “{regular category name} from another account”.
    For example, this attack path appears if you filter for the “Data exposure” category AND the “Cross-account” category.