Skip to main content

Lab Validation

Deploy a known-vulnerable IAM configuration from Bishop Fox iam-vulnerable, model it as a Stave observation, and confirm the finding matches the documented attack path. The payoff is empirical trust: Stave matches an independent expert oracle.

Time: ~30 minutes. Requires a sandbox AWS account. Cost: $0 (IAM only).

Prerequisites

  • Built stave binary
  • AWS sandbox account with a configured profile
  • Terraform

Never run this against production — the lab creates intentionally-vulnerable IAM users.

aws sts get-caller-identity --profile <your-sandbox-profile>

Steps

1. Install Terraform

terraform version || {
wget -O- https://apt.releases.hashicorp.com/gpg | \
sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \
https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \
sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install -y terraform
}

2. Deploy the lab

git clone https://github.com/BishopFox/iam-vulnerable.git
cd iam-vulnerable
export TF_VAR_aws_local_profile=<your-sandbox-profile>
terraform init && terraform apply

Expect ~30 new IAM users with names containing privesc.

3. Pick one privesc user

Start simple: privesc4-CreateAccessKey-user.

aws iam list-attached-user-policies \
--user-name privesc4-CreateAccessKey-user \
--profile <your-sandbox-profile>

4. Find the matching control

./stave search "CreateAccessKey escalation"

Result: CTL.IAM.ESCALATE.CREATEACCESSKEY.001. Check which fields the control reads:

find controls -name '*CREATEACCESSKEY*' -exec grep -A4 unsafe_predicate {} \;

5. Build the observation

mkdir -p ~/bf-obs
cat > ~/bf-obs/2026-01-01T000000Z.json << 'EOF'
{
"schema_version": "obs.v0.1",
"source": "deployed",
"generated_by": { "source_type": "aws.cli" },
"captured_at": "2026-01-01T00:00:00Z",
"assets": [
{
"id": "arn:aws:iam::<ACCOUNT>:user/privesc4-CreateAccessKey-user",
"type": "aws_iam_user",
"vendor": "aws",
"properties": {
"identity": {
"kind": "user",
"escalation": {
"create_access_key": {
"present": true,
"target_user_arn": "arn:aws:iam::<ACCOUNT>:user/some-admin",
"permission_delta": ["iam:*"]
}
}
}
}
}
]
}
EOF

Replace <ACCOUNT> with your sandbox account ID.

6. Run Stave

./stave apply --observations ~/bf-obs/ --eval-time 2026-01-02T00:00:00Z

Expected: 1 violation — CTL.IAM.ESCALATE.CREATEACCESSKEY.001.

7. Compare to the oracle

Bishop Fox documents privesc4 as "escalate via CreateAccessKey." Stave fired CTL.IAM.ESCALATE.CREATEACCESSKEY.001. Match.

8. Tear down

cd iam-vulnerable && terraform destroy

Confirm no privesc users remain:

aws iam list-users --profile <your-sandbox-profile> | \
jq -r '.Users[].UserName' | grep -ci privesc

Done

You verified Stave against an independent expert oracle; findings match documented attack paths.

Next: Write a Control