SkyScalpel: Making & Breaking {“Policy”: “Obfu0075scA**Tion”} in the Cloud

This talk explores how attackers can obfuscate cloud policies, remote administration scripts, and permissions parameters to evade detections at multiple stages of the detection pipeline. When “Allow” becomes “”Alu006Cow”” and “”iam:PassRole”” becomes “”iam:P*ole””, do your detections still work? Some obfuscation techniques are caught during creation but sanitized upon storage; others persist and silently bypass detection, break console rendering, or manipulate what defenders see depending on the viewing method.

I will present offensive and defensive findings from these obfuscation scenarios, highlighting inconsistencies across official cloud tooling (CLI, SDKs, consoles), and introduce SkyScalpel—a custom-built JSON tokenizer and syntax tree parser equipped with cloud-aware obfuscation, deobfuscation, and detection capabilities. SkyScalpel demonstrates just how easily attackers can bend cloud policies and how defenders can fight back.