Validated chain
CI/CD OIDC → AWS data
GitHub Actions OIDC→over→privileged AWS role→assume→role chain→S3 PII read
Business impact
4M records reachable from a CI run
Discover · Cloud + Identity Surface
Validate cross-cloud and identity attack paths
AWS, Azure, GCP and the federated identity glue between them — IAM trust paths, control-plane misconfigurations and cross-cloud privilege escalation, validated continuously.
- Read-only connectors
- Workload-identity-federation chains
- CIS + NIST + ISO 27017
- Production-safe by default
LiveCloud · Identity Surface
ValidatedThe problem
Cloud risk is identity risk, and identity risk is multi-cloud
Modern enterprises run AWS, Azure and GCP, federated through Microsoft Entra, Okta or Google Workspace, with workload identities crossing boundaries. Every misconfigured trust is a potential attack path.
Cloud security tooling enumerates misconfigurations. None of it tells you which combination chains into actual control-plane compromise.
The KeenSafe approach
IAM trust paths validated end-to-end
KeenSafe maps roles, service principals, federated identities and SCP/Conditional-Access boundaries across accounts, subscriptions and projects — then walks the privilege paths.
Read-only connectors mean we never modify your cloud. Exploitation is scope-bounded and reversible.
Capabilities
What ships in this engagement
IAM Trust Path Mapping
Roles, service principals, workload identity federation and OIDC trust graphed across clouds.
Control-Plane Validation
Org-, account- and resource-level API misconfigurations exploited safely.
Data-Plane Reachability
S3 / Blob / GCS, RDS / Cosmos / BigQuery, KMS / KeyVault — exploitable read/write paths.
Cross-Cloud Pivots
Workload-identity federation, OIDC trust, SaaS-to-cloud roles validated end-to-end.
Container & Serverless
EKS / AKS / GKE, Lambda / Functions / Cloud Run — RBAC, runtime escapes, metadata-service abuse.
Compliance Mapping
CIS Benchmarks, NIST 800-53, ISO 27017, PCI DSS cloud, AWS / Azure / GCP Well-Architected security.
Attack path
How attackers actually move
Cloud attack paths typically chain through identity. The interesting work is finding the privilege graph that traverses from a low-privilege federated identity into a crown-jewel data store.
Validated chain
Entra → AWS via federation
Entra group membership→AWS SSO role→cross→account assume→DynamoDB
Business impact
Cross-cloud admin reach proven
Outcomes
Measurable, evidence-backed
Read-only
Connectors
KeenSafe never modifies cloud configuration.
3 clouds
AWS · Azure · GCP
First-class connectors. Oracle / IBM via webhooks.
Per-tenant
Tier-0 paths
Most environments find at least one cross-cloud admin reach.
Continuous
Validation cadence
Cloud config drift surfaces as risk in minutes.
For the board
For the executive: cloud risk has a single answer
"Can a federated identity reach customer data through our cloud, today?" KeenSafe answers it across AWS, Azure and GCP — quarter over quarter.
For regulators and insurers asking the same question, evidence is portable.
Technical validation
Cloud validation methodology
Per-cloud connectors enumerate the privilege graph; the orchestrator runs reachability analysis from declared crown jewels backwards to entry points; chains are validated by safe assume-role / token-issuance simulation.
- 01Read-only org / subscription / project enumeration
- 02IAM + workload-identity-federation graph assembly
- 03Reachability solver from crown-jewel data stores
- 04Per-chain scope-bounded validation (no destructive actions)
- 05Per-finding compliance + Well-Architected mapping
Get Started
Find your shortest cross-cloud attack path
A guided session walks the validated chain from a federated identity to a crown-jewel data store.