Skip to main content

Attack Paths

Findings and IAM Risk surface issues in isolation. Attack Paths connects them.

An attack path is a chain linking something publicly reachable to something sensitive, with every intermediate hop included.

A typical chain: an internet-facing API Gateway → a Lambda function it invokes → an IAM role that function uses → a Secrets Manager secret that role can read. Each hop on its own may look unremarkable. Together, they tell you an attacker who reached the API can ultimately reach the secret.

The model

Two terms appear everywhere on this page:

  • Entry node — something reachable from outside your account: API Gateway, function URL, load balancer, security group open to the internet, public S3 bucket policy, public S3 ACL.
  • Target node — something an attacker would want to reach: a secret, a database, a private bucket, a sensitive role.

A path connects entry to target through one or more hops. Every path carries a risk score (banded Critical / High / Medium / Low) and a hop count.

Paths view

The tabular view — the default toggle.

Two toggles below the dropdown filters change what's in the list:

  • Group similar paths — collapses paths sharing the same entry type, target type, and chain shape into one representative row. Useful when an environment produces many structurally identical paths.
  • Show snoozed — includes paths marked as accepted risk (dimmed), so you can review or un-snooze them.

Click a row to open the path detail drawer:

  • The full chain breadcrumb — entry → hop → … → target — with inline fix badges on each hop where a fix exists.
  • A recommended fix at the top.
  • Alternative fixes below, ordered by ease of application.

Selecting a fix expands the relevant hop and explains what applying it would do.

Fixes view

A separate tab that flips the orientation. Instead of listing paths and showing what would close each one, the Fixes view lists fixes and shows how many paths each would close.

Each row shows:

  • The fix in plain language ("Remove the public bucket policy on acme-customer-uploads").
  • The target resource type and AWS account.
  • Paths eliminated — the number of current attack paths this single fix would close. Primary sort key.
  • Operational weight — a rough indicator of effort to apply.
  • Reversibility — additive/safe, narrowly destructive, or broadly destructive.

Filters cover category (exposure-surface vs IAM), subcategory, target type, and a minimum paths-eliminated threshold.

Use this view when you want to prioritize. It answers: "where do I get the most risk reduction per change?"

Graph view

A hub-and-spoke visualization. Entry surfaces on one side, targets on the other, paths drawn between. Easy to spot clusters of paths converging on a single target, or many targets reachable from a single entry.

Click any path to open its drawer — same as the Paths view.

Graph view is best for understanding the shape of your exposure. Paths view is best for working through paths one by one.

Accepting risk (snooze)

Sometimes a path is intentional — a publicly accessible API designed to talk to a particular database is the system working as designed. Snooze the path to stop GuardKite re-surfacing it on every scan.

Open the path detail drawer and use the snooze action. You'll be asked for a reason — a short note explaining why the path is accepted. The snooze is permanent until reversed; there is no expiry.

Snoozed paths are hidden from default views and don't contribute to risk-score summaries. Toggle Show snoozed to bring them back; un-snooze from the drawer.

Every snooze is recorded with the user who applied it and the timestamp, so the audit trail of who accepted what risk — and why — is visible to anyone reviewing the path later.