Gate Insecure AWS IAM in Pull Requests with a Free GitHub Action
Most IAM problems are not caught by a clever attacker. They are caught — eventually — by an audit, months after a wildcard shipped because a deploy was blocked at 6pm. The fix is to move the check left: review the policy in the pull request, automatically, before it merges.
Here is how to wire that up in about five minutes with the Shieldly GitHub Action.
Why the PR Is the Right Place
By the time a misconfiguration reaches a quarterly review, it has been live for a quarter. The PR is the moment the author has full context, the change is small, and tightening a policy costs one comment instead of a migration. A CI gate also takes the awkward human "you gave this *again" conversation off the table — the bot says it, consistently, every time.
The alternative — a post-merge scanner that dumps findings into a backlog — has been the standard approach for a decade, and the backlogs keep growing. Detection has been solved. The bottleneck is getting the finding to the person who can fix it, at the moment they are already looking at the code.
Add the Action
Add a workflow file to your repository. The Action scans changed IAM policies, resource policies, and CloudFormation templates in the PR, posts findings as a comment with the why and the suggested fix, and can fail the check on high-severity issues so risky access cannot merge unnoticed.
# .github/workflows/shieldly.yml
name: Shieldly AWS Security
on: [pull_request]
jobs:
iam-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: AI-Powered AWS security analysis
uses: shieldly-io/action@v1
with:
api-key: ${{ secrets.SHIELDLY_API_KEY }}
paths: |
infra/**/*.json
infra/**/*.yamlAdd your Shieldly API key to the repository's secrets as SHIELDLY_API_KEY. The paths glob controls which files are scanned — scope it to your infrastructure directory to avoid false positives on unrelated JSON files.
What the Action Reports
For each finding the Action posts a PR comment with three things: what the misconfiguration is, why it is dangerous (not just a rule ID), and the corrected policy ready to paste back. High-severity findings — wildcards on sensitive services, unscoped iam:PassRole, public s3:GetObject — can be configured to fail the status check so they cannot merge without a conscious decision to override.
The analysis covers IAM identity policies, IAM role trust policies, S3 bucket policies, Lambda resource policies, SQS queue policies, KMS key policies, and CloudFormation templates containing any of the above.
Try It Free First
Before you wire up CI, get a feel for the output: paste a policy into the free, no-signup web check at shieldly.io/app/iam. Same analysis engine, instant feedback. Prefer the terminal? The CLI runs the same check locally against a file or piped input.
However you run it, your input is never logged — cache keys are one-way SHA-256 hashes. This is a core product promise, not a setting.
Fail Fast, Fix Once
The pattern "I will tighten it later" has a well-documented outcome: it does not get tightened. The PR gate converts that deferred fix into a present-tense decision — either tighten the policy now, or explicitly accept the risk and override the check. Both are better outcomes than the current default, which is that nobody notices until the quarterly audit.
Move the check to where the decision is made — the pull request — and the deadline stops being a reason to ship a wildcard.
Gate IAM risk in your next pull request
Start with the free web check — paste a policy and get AI-Powered analysis in seconds. Add the GitHub Action when you are ready to gate PRs automatically.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.