Back to Blog
June 16, 2026

Introducing Shieldly: AI-Powered Security Analysis for AWS

Managing AWS IAM permissions is one of the hardest problems in cloud security. A single overly-permissive policy can open the door to privilege escalation, data exfiltration, or account takeover — yet most teams rely on manual review or static analysis tools that miss the most dangerous patterns.

Today we're launching Shieldly — an AI-powered tool that analyzes AWS IAM policies, CloudFormation templates, S3 bucket policies, KMS key policies, and more. Rather than checking against a fixed set of rules, Shieldly uses a large language model to understand the semantic meaning of a policy and surface real-world risks that rule-based tools miss.

Why AWS IAM Security Is Hard

AWS Identity and Access Management is powerful, but that power comes with complexity. Three problems make it especially difficult to get right:

  • Wildcards run rampant. A policy with "Action": "s3:*" on all resources is a disaster waiting to happen, yet it's one of the most common patterns in production accounts.
  • Privilege escalation paths are invisible to static analysis. A policy that grants iam:PassRole combined with ec2:RunInstances can let an attacker escalate to any role in your account. Static tools flag each permission in isolation; only an understanding of the full attack chain reveals the risk.
  • Over-permissive policies are the default.AWS managed policies, copied StackOverflow snippets, and "it works in dev" patterns all tend toward granting far more access than needed. The principle of least privilege is widely preached but rarely practiced because manually scoping down every policy is impractical at scale.

How AI Catches What Static Tools Miss

Traditional IAM analyzers use rule-based engines or Access Control Lists (ACLs) — they check whether a specific action matches a blocklist or allowlist. This approach is fast but fundamentally limited. It can't reason about the context of a policy — whether a given combination of permissions creates a real-world attack path.

Shieldly uses a multi-model AI cascade — up to 15 models deep for Enterprise users — with carefully engineered system prompts that incorporate AWS IAM best practices, real-world attack patterns (including the Rhino Security Labs privilege escalation research), and deterministic scoring rules. Each policy is evaluated against a comprehensive set of security criteria:

  • Risk scoring. Every policy receives a numeric score from 0 (critical) to 100 (safe) alongside a severity classification: Low, Medium, High, or Critical.
  • Explanatory findings.Instead of "Action contains wildcard," Shieldly says "s3:* allows full S3 access including data exfiltration — consider scoping to specific actions your workload needs."
  • Attack chain detection. Identifies multi-step privilege escalation paths by analyzing how permissions interact across the policy.
  • Remediation suggestions. For each finding, get a concrete proposal for scoping down the policy without breaking functionality.

Works Where You Work

Shieldly is built for the way security and engineering teams actually operate. It integrates directly into your existing workflow:

  • CLI. Analyze policies from any terminal or CI pipeline with shieldly analyze-iam policy.json. Install via npm install -g @shieldly/cli.
  • VS Code Extension. Inline security analysis as you write IAM policies. Squiggles on risky lines, score in the status bar, full results panel. Install from the Visual Studio Code Marketplace.
  • GitHub Action. Add AI-powered security checks to every pull request. Automatically fails CI when CRITICAL or HIGH severity issues are found. Available in the GitHub Marketplace.
  • CDK Guard. AI-Powered security analysis built into your CDK workflow. Run npx @shieldly/cdk-guard after cdk synth to catch risky IAM and CloudFormation before you deploy. Inline risk acceptance via the accept() construct helper. Install: npm install @shieldly/cdk-guard.
  • REST API. Analyze policies programmatically from any language or platform. Simple HTTP POST with an API key — get structured JSON results with scores, findings, and remediation suggestions.
  • Slack & Webhooks (coming soon). Real-time alerts to your #security channel with critical findings, plus generic webhook support for PagerDuty, Teams, or custom endpoints.

Pricing for Every Team

Security tools should be accessible to everyone, from solo developers to enterprise security teams. Shieldly offers:

  • Free tier — 20 analysis units per day with Standard AI. Enough to evaluate policies as you write them.
  • Builder — $19/month, 150 units/day, Advanced AI, API access, and cost analysis.
  • Pro — $49/month, 300 units/day, Advanced AI, compliance panel, and bulk analysis.
  • Team — $99/month, 600 units/day, Enterprise AI, AWS account connect, team collaboration, and webhooks.

Every paid plan includes a 14-day free trial — no credit card required.

Your Policies Stay Private

We know that IAM policies contain sensitive information about your infrastructure. That's why Shieldly is built with privacy as a first-class concern:

  • We never log your input. Policy text is processed in memory and discarded after analysis. No persistent storage of customer policies.
  • SHA-256 hashing. Policy content is SHA-256 hashed before any telemetry or caching. We can detect duplicate analyses without ever seeing the actual policy text.
  • No training on customer data. Your policies are never used to train or fine-tune our models.

Ready to lock down your AWS policies?

Try it free at shieldly.io — no credit card required.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.