Attack Path Categories

The following list details the categories of attack paths that Panoptica identifies.

• Administrator access compromise - which includes any risk to an identity with admin access (AdministratorAccess policy / actions: + resource: ).
• Data exposure - includes any risk to high permissions (other than admin) on storage resources.
• Privilege escalation - includes any risk to high permissions (other than admin) on other resources (not storage).
• Neglected resource - an attacker with access to a group can expose and exfiltrate protected data in the account by using the attached risky data permissions.
• Subdomain takeover - an attacker can take over a subdomain. If an attacker takes over the domain, they can potentially read cookies, perform cross-site scripting, serve malicious content, and more.
• Vulnerable public workload - an attacker with network access to an unencrypted resource can gain full access to the resource and its permissions
• Cross-account - An attacker with access to another account can lead to resource compromise.
  Unlike other categories, an attack path can be in the cross-account category AND another category - meaning that some Attack Paths will have two categories. The display name in this case will be: “{regular category name} from another account”.
  For example, this attack path appears if you filter for the “Data exposure” category AND the “Cross-account” category.