Free Tools    


Lightspin AWS IAM Vulnerability Scanner


Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups discovered by Lightspin's Security Research Team.

The tool detects the misconfigurations in the following IAM Objects:

  • Managed Policies

  • Users Inline Policies

  • Groups Inline Policies

  • Roles Inline Policies

Research Summary

AWS IAM evaluation logic for deny policies applied to groups does not work the same way as most security engineers may be used to with other authorization mechanisms.