AWS re:Invent 2025 - Kiro in action: Red Team tactics at scale (DEV336)

AWS re:Invent 2025 - Kiro in action: Red Team tactics at scale (DEV336)

Overview

The presentation discusses a solution to address the "visibility gap" faced by security teams when conducting red team engagements or penetration testing assessments for large organizations with hundreds of AWS accounts. The speakers, Nick Gilbert and Damian, introduce a tool built using Kiro, an AI-powered IDE, to automate the process of identifying high-value targets, enumerating cross-account access, prioritizing roles by impact, and detecting common security misconfigurations at scale.

The Visibility Gap

• Large organizations with hundreds of AWS accounts can have hundreds of thousands of resources, making it challenging to find vulnerabilities.
• The speakers aim to build a tool using Kiro to address this visibility gap and automate the security assessment process.

Kiro and Spec-based Design

• The speakers compare two approaches: "vibe coding" (using AI to brainstorm and refine code) and "spec-based design" (defining requirements, design, and tasks upfront).
• They choose the spec-based design approach, leveraging Kiro's support for this methodology to build a scalable, maintainable security solution.

The IAM Scanner

The IAM scanner tool built using Kiro includes the following key features:

Caching AWS Managed Policies

• The tool caches the over 1,000 AWS managed policies to avoid downloading them for each account during the assessment.

Collecting IAM Data

• The tool collects data on users, groups, roles, and customer-managed policies across the target accounts.

Analyzing Managed Policies

• The tool uses a policy engine to identify managed policies with high-privilege permissions.

Identifying Dangerous Principals

• The tool examines both managed and inline policies to determine which principals (users, groups, roles) are considered dangerous.

Examining Role Trust Policies

• The tool analyzes role trust policies to identify potential lateral movement opportunities, both within the current account and across accounts.

Detecting Unused Roles

• The tool identifies unused roles that may have high privileges and could be leveraged by attackers.

Analyzing Privilege Escalation Paths

• The tool determines if each role has a path to administrative access and provides the specific steps required to escalate privileges.

Estimated Time Savings with Kiro

• Without Kiro, building a tool with the same capabilities would take an estimated 200-350 hours.
• With Kiro's spec-based design and AI-powered development, the estimated time is reduced by 70% to 25-35 hours.

Key Takeaways

1. Use spec-driven design and Kiro to rapidly develop and scale security solutions.
2. Leverage spec files to translate product requirements into working code without writing extensive code.
3. Create automated tooling to identify security vulnerabilities and risks in cloud environments.

Accessing the IAM Scanner

• The IAM scanner code is available on GitHub, with a QR code provided for easy access.
• The speakers encourage the audience to connect with them on social media, specifically LinkedIn, for further information and collaboration.