Enable quick exploration of Rhino Security Labs AWS PrivEsc methods

[achantavy]

Description:

Describe your idea. Please be detailed. If a feature request, please
describe the desired behavior, what scenario it enables, and how it
would be used.

As discussed in this cartography meeting, we should use the data and relationships in cartography to quickly reveal attack techniques described in this article: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

We could also adapt Rhino Labs' existing script: https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py; see "Scanning for Permission Flaws: aws_escalate" in that article.

For example, we could add a CreateAccessKeyVulnerable=True field to the :AWSPrincipal node to quickly identify targets accessible with a given AWS Access Key, or something else. (this is a bad example, but hopefully you get the idea of reading this article and finding neat techniques that we could quickly expose in the graph).

[lgomezma]

In general I think this can be a huge added value for organisations. Being able to statically "pentest" infra based on Cartography's data and quickly identify potential issues is a great proposition IMHO.

[achantavy]

I dug into it a bit here: https://twitter.com/alexchantavy/status/1622656844778053633

match(acc:AWSAccount)--(a:AWSPrincipal)--(p:AWSPolicy)--(st:AWSPolicyStatement{effect:"Allow"})
where "iam:CreatePolicyVersion" in st.action
return * 

shows you targets that can create arbitrary policies according to that blog post. Similar queries can be made for the other scenarios mentioned.