Blast Radius

Blast radius measures how far an attacker can get from a single point of compromise. In AWS, this means: starting from one credential, one Lambda function, or one EC2 instance, what is the total set of resources that become accessible?

Factors that increase blast radius:

- **Overly permissive IAM policies** — Policies with wildcard actions or resources - **Shared credentials** — The same access keys used across multiple services - **Cross-account trust** — Roles that allow assumption from other accounts without strict conditions - **Flat network architecture** — No segmentation between environments (dev/staging/prod) - **Service role over-provisioning** — Lambda functions, ECS tasks, or EC2 instances with more permissions than needed - **Missing resource policies** — S3 buckets, SQS queues, or SNS topics without restrictive resource policies

Reducing blast radius is a core goal of AWS security architecture:

- **Least privilege** — Grant only the permissions each principal actually needs - **Account segmentation** — Separate workloads into distinct AWS accounts - **Service control policies (SCPs)** — Set permission boundaries at the organization level - **Permission boundaries** — Limit the maximum permissions a role can have - **Resource policies** — Restrict which principals can access specific resources

hackaws.cloud quantifies blast radius by running an autonomous agent from a starting point and mapping every resource it can reach. The resulting attack graph shows exactly what an attacker could access — and where to tighten controls.