If i am not mistaken, ASWPX takes a policy-centric approach to evaluating privesc paths as opposed to a principal-centric approach?. Is that right?

For example, I have a role that has two policies applied. One policy allows iam:passRole on resource:, and the other allows ec2:RunInstances on resource:. I can exploit the classic CreateInstanceWithExistingProfile privesc because the role has all the permissions it needs.

However this does not show up in AWSPX, and I'm really just asking if this is expected or unexpected on your end. If this is unexpected (a bug), I'm happy to provide more details on the roles, policies, instance, profiles, etc. that are involved. If expected, I suggest adding this to the FAQ like the note you have about not processing DENY actions.

Thanks!

Also, I gotta say that I really love AWSPX. Between the visualizations and the exploitation guidance, your tool really helped me put some major IAM privesc pieces together when I was ramping up in this area!