🔑

CIEM & AI-SPM

CIEM & AI-SPM — Identity Privilege Escalation + AI Service Posture

EchelonGraph adds two read-only capabilities on top of its agentless cloud scanner:

  • CIEM (Cloud Infrastructure Entitlement Management) — finds privilege-escalation paths and over-privileged identities in AWS IAM, GCP IAM, and Azure RBAC.
  • AI-SPM (AI Security Posture Management) — checks the security posture of managed AI services: Amazon SageMaker, Amazon Bedrock, Google Vertex AI Workbench, Azure Machine Learning, and Azure OpenAI.

Both are 100% read-only. EchelonGraph never creates, modifies, deletes, or escalates anything in your cloud — it only reads configuration through provider APIs. See Cloud access setup for the exact IAM permissions.

EchelonGraph CIEM and AI-SPM read-only data flow — reads IAM, RBAC, and AI-service configuration from AWS, GCP, and Azure, then emits risk-ranked, compliance-mapped findings with no writes and no agents
EchelonGraph CIEM and AI-SPM read-only data flow — reads IAM, RBAC, and AI-service configuration from AWS, GCP, and Azure, then emits risk-ranked, compliance-mapped findings with no writes and no agents

CIEM — Cloud Infrastructure Entitlement Management

Misconfigured identities are the number-one cloud attack path. A single over-privileged role or service account lets an attacker who lands anywhere pivot toward full account control. CIEM maps effective permissions and flags the identities that can escalate — before an attacker chains them.

What CIEM detects on AWS (19 rules, AWS-CIEM-001 to 019)

EchelonGraph reads IAM users, roles, and attached + inline policy documents, folds them into an effective-permission set, and flags principals that can:

  • Create or set a new default policy version to widen their own access
  • Attach a managed policy or write an inline policy to themselves or others
  • Use PassRole to a compute service (Lambda / EC2 / Glue) to run as a more-privileged role
  • Create access keys or console passwords for another principal
  • Add a user to a privileged group
  • Hold wildcard actions or wildcard resources
  • Update an assume-role trust policy or assume a privileged role
  • Create a backdoor IAM user with its own credentials, or hijack an existing Lambda by overwriting its code to run as that function's role
  • Take over an EC2 instance role via SSM commands (SendCommand / StartSession), or PassRole to a CI/CD / batch service (CodeBuild / Batch / EMR / ECS)
  • Tamper with IAM permission boundaries to widen effective access
  • Read every Secrets Manager secret, SSM parameter, or KMS-encrypted blob — broad data-plane credential access

What CIEM detects on GCP (16 rules, GCP-CIEM-001 to 016)

EchelonGraph reads the project IAM policy and custom-role definitions, and flags:

  • Principals with the primitive Owner or Editor role
  • Public IAM bindings (allUsers / allAuthenticatedUsers)
  • Service-account impersonation (Token Creator, Workload Identity User)
  • setIamPolicy holders (Security Admin / Project IAM Admin) who can grant themselves any role
  • actAs (Service Account User), key admin (mint long-lived keys), and role admin (rewrite role definitions)
  • Custom roles whose permissions confer privilege escalation (setIamPolicy, actAs, getAccessToken, roles.update)
  • The default Compute / App Engine service account holding privilege-escalation roles — the most common GCP escalation foothold
  • A personal / non-corporate account with standing privilege-escalation access on the project
  • Deploy-as-service-account vectors — Cloud Build, Deployment Manager, Dataproc, Composer, or Dataflow run caller code as a privileged service account
  • Service Account Admin rights — create service accounts and bind roles to them

> Google-managed service agents — which legitimately hold broad roles by design — are automatically suppressed, so you only see findings on your identities, not noise.

What CIEM detects on Azure (11 rules, AZ-CIEM-001 to 011) — Preview

EchelonGraph reads Azure RBAC role assignments and custom-role definitions (via Azure Resource Graph) and flags:

  • Owner assigned at subscription or management-group scope — full control including role assignment
  • User Access Administrator and Role Based Access Control Administrator — can grant any role (direct privilege escalation)
  • Contributor at subscription or management-group scope — manage-everything blast radius
  • Privileged roles held by service principals (non-human identities) or orphaned / unknown principals
  • Custom roles with * wildcard actions, Microsoft.Authorization/* or roleAssignments/write (grant-any-role), or */write write-wildcards — especially when assignable at management-group / root scope

> Preview: the Azure CIEM + AI-SPM rules ship and run for any connected Azure subscription and are fully unit-tested, but validation against a production Azure environment is still in progress — so we label them Preview rather than Live.

Why it matters

Every CIEM finding carries a risk score and maps to access-control requirements across CIS, SOC 2 (CC6), ISO 27001 (A.9), and NIST (PR.AC). It tells you which principal, which permission, and why it is dangerous — not generic boilerplate.

AI-SPM — AI Security Posture Management

As teams ship AI features, the managed AI services behind them become a new — and often unmonitored — attack surface. AI-SPM scores the posture of those services and pairs it with EchelonGraph's AI-compliance frameworks (NIST AI-RMF, EU AI Act, ISO 42001, MITRE ATLAS, OWASP LLM Top 10).

What AI-SPM checks on AWS

Amazon SageMaker notebooks (AWS-AISPM-001 to 003):

  • Notebook with direct internet access — data-exfiltration / exposure risk
  • Notebook with root access enabled
  • Notebook storage not encrypted with a customer-managed KMS key

Amazon Bedrock (AWS-AISPM-004 to 005) — evaluated only when Bedrock is actually in use:

  • Model-invocation logging disabled — no audit trail of genAI prompts and responses
  • No guardrails configured — prompt-injection and unsafe-output controls absent

All checks are read-only (sagemaker List/Describe, bedrock Get/List).

What AI-SPM checks on GCP

Google Vertex AI Workbench notebooks (GCP-AISPM-001 to 004) — covers both current Workbench Instances and legacy User-Managed Notebooks:

  • Notebook with a public IP address — directly reachable from the internet
  • Boot/data disk not encrypted with a customer-managed key (CMEK) — relies on Google-managed keys only
  • Shielded VM disabled — no Secure Boot, vTPM, or integrity monitoring
  • Direct (non-proxied) access — bypasses the Vertex managed access proxy

All checks are read-only (notebooks.instances.list / get).

What AI-SPM checks on Azure — Preview

Azure Machine Learning workspaces (AZ-AISPM-001 to 003):

  • Workspace with public network access enabled
  • Workspace not encrypted with a customer-managed key (CMK)
  • Workspace not flagged high-business-impact (HBI) — weaker data-handling guarantees

Azure OpenAI / Cognitive Services (AZ-AISPM-004 to 006):

  • Account with public network access (no private endpoint / network-ACL deny)
  • Account allows local (key-based) authentication instead of Microsoft Entra ID only
  • Account not encrypted with a customer-managed key (CMK)

All checks are read-only (Azure Resource Graph) and covered by the Azure Reader role.

Coverage at a glance

CapabilityAWSGCPAzure
CIEM — IAM privilege escalationLiveLivePreview
AI-SPM — managed AI service postureLive (SageMaker, Bedrock)Live (Vertex AI)Preview (Azure ML, OpenAI)

> Live = validated against real cloud accounts. Preview = shipped + unit-tested and runs for any connected subscription, with live-environment validation in progress.

Get started

  1. Connect your cloud account using the read-only permissions in Cloud access setup — the policy already includes the CIEM IAM-policy reads and the AI-SPM actions (Amazon SageMaker / Bedrock on AWS, Google Vertex AI Workbench on GCP).
  2. Run a scan. CIEM and AI-SPM findings appear in your dashboard alongside misconfiguration and CVE findings, ranked by risk score.
Previous IntegrationsNextData Sovereignty