Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups discovered by Lightspin's Security Research Team.
The tool detects the misconfigurations in the following IAM Objects:
Managed Policies
Users Inline Policies
Groups Inline Policies
Roles Inline Policies
AWS IAM evaluation logic for deny policies applied to groups does not work the same way as most security engineers may be used to with other authorization mechanisms.
.png)