Skip to content


Find Creep/Drift/Overprivilege

Tool Description
  • Remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account
  • Scans accounts for violations of Least Privilege and identifies policies that can lead to Privilege Escalation, Data Exfiltration, Resource Exposure, and Infrastructure Modification
  • Compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method
  • Helps find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies
AWS Key Disabler
  • A small lambda script that will disable access keys older than a given amount of days
  • Discover most privileged entities in the target AWS/Azure environments, including Shadow Admins
  • Analyzes behaviors of temporary tokens
  • Aims to find suspicious creation forms and uses of temporary tokens to detect malicious activity in the account
  • The tool analyzes the AWS account, and creating an excel sheet includes all the currently living temporary tokens
  • Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups
  • Validate all your Customer Policies against AWS Access Analyzer

Policy Creation/Linting

Tool Description
Policy Sentry
Action Hero
  • Sidecar style utility to assist with creating least privilege IAM Policies for AWS
  • Action Hero provides a means to capture all required permissions during the more permissive iterations to make it easier to create an IAM role with just the required permissions
Effective Actions for IAM
  • After you have input your policy JSON, you will see a list of allowed actions by resource; permissions in AWS require an explict allow to be permitted


Tool Description
  • A utility for easily assuming AWS IAM roles from the command line
  • Uses AWS STS to create temporary AWS API credentials for accessing our AWS infrastructure programmatically
gimme-aws-creds CLI that utilizes an Okta IdP via SAML to acquire temporary AWS credentials via AWS STS
  • A proxy for AWS's metadata service that gives out scoped IAM credentials from STS


Tool Description
  • Fine-Grained IAM Roles for Service Accounts for EKS
  • AWS just made pods first class citizens in IAM: rather than intercepting the requests to the EC2 metadata API to perform a call to the STS API to retrieve temporary credentials, AWS made changes in the identity APIs to recognize Kubernetes pods
  • By combining an OpenID Connect (OIDC) identity provider and Kubernetes service account annotations, you can now use IAM roles at the pod level
  • Share AWS resources with groups of AWS accounts in AWS Organizations
  • Reference Organizational Units (OUs), which are groups of AWS accounts in AWS Organizations, in IAM
  • New condition key, aws:PrincipalOrgPaths, in your policies to allow or deny access based on a principal’s membership in an OU
aws-iam-authenticator Use AWS IAM credentials to authenticate to a Kubernetes cluster
guard Kubernetes Webhook Authentication server. Using guard, you can log into your Kubernetes cluster using various auth providers such as Azure, Google, etc.
Back to top