# Shieldly > Shieldly (shieldly.io) is AI-powered security analysis for AWS. It analyzes AWS IAM policies, resource-based policies (S3, Lambda, SQS, KMS, SNS, cross-account roles), CloudFormation templates, and AWS costs — surfacing over-privileged access, privilege-escalation paths, and misconfigurations with plain-English explanations and remediation steps. Free plan: 20 analysis units/day. A no-signup demo analyzer is available. User input is never logged or stored (one-way SHA-256 hash caching only). Shieldly ships as a web app, CLI (`@shieldly/cli` on npm), VS Code extension, GitHub Action, and CDK construct (`@shieldly/cdk-guard`). Shieldly is independent and not affiliated with Amazon Web Services. ## Product - [Free IAM policy analyzer (no signup)](https://www.shieldly.io/app/iam): Paste an IAM policy, get an AI-powered risk score, findings, and fixes. - [Pricing](https://www.shieldly.io/pricing): Free 20 analysis units/day; Builder $19/mo; Pro $49/mo; Team $99/mo; Enterprise custom. - [FAQ](https://www.shieldly.io/faq): Units, privacy, daily limits, CI/CD usage. - [Integrations](https://www.shieldly.io/integrations): CLI, VS Code extension, GitHub Action, CDK Guard. ## Free Tools (no signup) - [IAM Policy Linter](https://www.shieldly.io/tools/iam-policy-linter): Client-side linter flagging wildcards, escalation actions, and risky patterns in IAM policy JSON. - [Trust Policy Explainer](https://www.shieldly.io/tools/trust-policy-explainer): Explains who can assume a role and flags confused-deputy risks in trust policies. - [S3 Bucket Policy Checker](https://www.shieldly.io/tools/s3-bucket-policy-checker): Checks whether an S3 bucket policy makes the bucket public or allows broad writes. - [CloudFormation IAM Checker](https://www.shieldly.io/tools/cloudformation-iam-checker): Extracts IAM resources from a CloudFormation template and flags wildcard, escalation, and open-trust risks. - [ARN Parser & Explainer](https://www.shieldly.io/tools/arn-parser): Splits an AWS ARN into partition, service, region, account, and resource, and flags wildcards and malformed ARNs. - [IAM Policy Diff](https://www.shieldly.io/tools/policy-diff): Compares two IAM policy versions and reports added/removed permissions, flagging privilege-sensitive additions. - [CloudTrail Policy Generator](https://www.shieldly.io/tools/cloudtrail-policy-generator): Generates a minimal least-privilege IAM policy from a sample of CloudTrail events. ## AWS IAM Privilege Escalation Reference - [IAM Privilege Escalation Cheat Sheet](https://www.shieldly.io/iam/cheatsheet): One-page reference — 26 methods with the permission combo, attacker impact, and fix. - [iam:CreatePolicyVersion Privilege Escalation](https://www.shieldly.io/iam/iam-createpolicyversion): A principal allowed iam:CreatePolicyVersion on a managed policy can publish a brand-new policy version with full administrator permissions and set it as the default in a single call. - [iam:SetDefaultPolicyVersion Privilege Escalation](https://www.shieldly.io/iam/iam-setdefaultpolicyversion): Managed policies keep up to five versions. - [iam:AttachUserPolicy Privilege Escalation](https://www.shieldly.io/iam/iam-attachuserpolicy): iam:AttachUserPolicy lets a principal attach any managed policy to an IAM user. - [iam:PutUserPolicy Privilege Escalation](https://www.shieldly.io/iam/iam-putuserpolicy): iam:PutUserPolicy writes an inline policy directly onto an IAM user. - [iam:AddUserToGroup Privilege Escalation](https://www.shieldly.io/iam/iam-addusertogroup): iam:AddUserToGroup lets a principal add an IAM user to any group. - [iam:CreateAccessKey Privilege Escalation](https://www.shieldly.io/iam/iam-createaccesskey): iam:CreateAccessKey on Resource "*" lets a principal mint long-lived access keys for any IAM user, including more privileged ones. - [iam:CreateLoginProfile and UpdateLoginProfile Privilege Escalation](https://www.shieldly.io/iam/iam-createloginprofile): A login profile is the console password for an IAM user. - [iam:PassRole + Lambda Privilege Escalation](https://www.shieldly.io/iam/passrole-lambda): iam:PassRole lets a principal hand an existing role to an AWS service. - [iam:PassRole + EC2 RunInstances Privilege Escalation](https://www.shieldly.io/iam/passrole-ec2): With iam:PassRole and ec2:RunInstances, an attacker can launch an EC2 instance attached to a privileged instance profile, then read that role’s temporary credentials from the instance metadata service and use them anywhere.. - [iam:UpdateAssumeRolePolicy Privilege Escalation](https://www.shieldly.io/iam/iam-updateassumerolepolicy): iam:UpdateAssumeRolePolicy rewrites a role’s trust policy — the document that decides who may assume it. - [lambda:UpdateFunctionCode Privilege Escalation](https://www.shieldly.io/iam/lambda-updatefunctioncode): lambda:UpdateFunctionCode lets a principal overwrite the code of an existing Lambda function. - [iam:PassRole + Glue Dev Endpoint Privilege Escalation](https://www.shieldly.io/iam/passrole-glue): A Glue development endpoint runs as an IAM role and gives interactive (SSH/notebook) access. - [iam:PassRole + CloudFormation Privilege Escalation](https://www.shieldly.io/iam/passrole-cloudformation): CloudFormation can act with a service role you pass to it, performing every action in the template as that role. - [iam:PassRole + SageMaker Notebook Privilege Escalation](https://www.shieldly.io/iam/passrole-sagemaker): A SageMaker notebook instance runs as an IAM role and gives the user an interactive Jupyter shell. - [iam:PassRole + CodeBuild Privilege Escalation](https://www.shieldly.io/iam/passrole-codebuild): A CodeBuild project runs build commands as an IAM service role. - [iam:PassRole + Data Pipeline Privilege Escalation](https://www.shieldly.io/iam/passrole-datapipeline): AWS Data Pipeline runs activities on EC2 resources that assume a passed IAM role. - [iam:UpdateLoginProfile Privilege Escalation](https://www.shieldly.io/iam/iam-updateloginprofile): iam:UpdateLoginProfile resets the console password of an IAM user that already has a login profile. - [iam:AttachRolePolicy Privilege Escalation](https://www.shieldly.io/iam/iam-attachrolepolicy): iam:AttachRolePolicy attaches any managed policy to an IAM role. - [iam:AttachGroupPolicy Privilege Escalation](https://www.shieldly.io/iam/iam-attachgrouppolicy): iam:AttachGroupPolicy attaches any managed policy to an IAM group. - [iam:PutRolePolicy Privilege Escalation](https://www.shieldly.io/iam/iam-putrolepolicy): iam:PutRolePolicy writes an inline policy directly onto an IAM role. - [iam:PutGroupPolicy Privilege Escalation](https://www.shieldly.io/iam/iam-putgrouppolicy): iam:PutGroupPolicy writes an inline policy onto an IAM group. - [iam:PassRole + ECS Privilege Escalation](https://www.shieldly.io/iam/passrole-ecs): With iam:PassRole and the ECS task APIs, an attacker registers a task definition whose task role is a privileged role, runs it, and the container receives temporary credentials for that role through the container metadata endpoint.. - [EC2 Instance Profile Swap Privilege Escalation](https://www.shieldly.io/iam/ec2-replaceinstanceprofile): With iam:PassRole and ec2:ReplaceIamInstanceProfileAssociation, an attacker swaps a privileged instance profile onto an EC2 instance they can run code on, then reads the role credentials from the instance metadata service.. - [ssm:SendCommand Privilege Escalation](https://www.shieldly.io/iam/ssm-sendcommand): ssm:SendCommand runs arbitrary commands on a managed EC2 instance. - [Lambda Event Source Mapping Privilege Escalation](https://www.shieldly.io/iam/lambda-eventsourcemapping): An attacker creates a Lambda function with a privileged execution role and triggers it through an event source mapping (for example a DynamoDB or Kinesis stream), escalating without needing lambda:InvokeFunction.. - [ec2:ModifyInstanceAttribute User Data Privilege Escalation](https://www.shieldly.io/iam/ec2-modifyinstanceattribute): ec2:ModifyInstanceAttribute lets a principal rewrite the user-data script of an existing EC2 instance. ## IAM Glossary - [IAM Trust Policy](https://www.shieldly.io/iam/glossary/trust-policy): A trust policy is the resource-based policy attached to an IAM role that defines which principals are allowed to assume it. - [IAM Permissions Boundary](https://www.shieldly.io/iam/glossary/permission-boundary): A permissions boundary is an advanced policy that sets the maximum permissions an IAM user or role can ever have, regardless of its attached policies. - [Service Control Policy (SCP)](https://www.shieldly.io/iam/glossary/service-control-policy): A Service Control Policy is an AWS Organizations policy that sets the maximum available permissions for the accounts it is applied to. - [Resource-Based Policy](https://www.shieldly.io/iam/glossary/resource-based-policy): A resource-based policy is a policy attached directly to a resource (such as an S3 bucket or KMS key) that specifies who can access it and how. - [IAM Condition Keys](https://www.shieldly.io/iam/glossary/condition-keys): Condition keys let you add requirements to a policy statement so it only applies when specific context values match — source IP, MFA, account, encryption, and more. - [sts:AssumeRole](https://www.shieldly.io/iam/glossary/assume-role): sts:AssumeRole is the STS action that returns temporary security credentials for an IAM role, letting a principal operate with that role’s permissions. - [Least Privilege](https://www.shieldly.io/iam/glossary/least-privilege): Least privilege is the principle of granting an identity only the permissions it needs to do its job — nothing more. - [IAM Policy Evaluation Logic](https://www.shieldly.io/iam/glossary/policy-evaluation): IAM policy evaluation is the order in which AWS decides whether a request is allowed: an explicit deny always wins, then an explicit allow, otherwise the default is deny. - [IAM Managed Policy](https://www.shieldly.io/iam/glossary/managed-policy): A managed policy is a standalone IAM policy that can be attached to multiple users, groups, or roles, and exists independently of any single identity. - [IAM Inline Policy](https://www.shieldly.io/iam/glossary/inline-policy): An inline policy is a policy embedded directly in a single user, group, or role, with a strict one-to-one relationship to that identity. - [IAM Session Policy](https://www.shieldly.io/iam/glossary/session-policy): A session policy is an inline permissions policy passed at the moment a role is assumed, further limiting the permissions of that temporary session. - [EC2 Instance Profile](https://www.shieldly.io/iam/glossary/instance-profile): An instance profile is a container for an IAM role that lets an EC2 instance receive temporary credentials for that role automatically. - [IAM Service-Linked Role](https://www.shieldly.io/iam/glossary/service-linked-role): A service-linked role is a special IAM role that is predefined and owned by an AWS service so the service can perform actions on your behalf. - [IAM ExternalId](https://www.shieldly.io/iam/glossary/external-id): ExternalId is a shared secret placed in a cross-account role trust policy condition to prevent the confused-deputy problem when a third party assumes your role. - [IAM Principal](https://www.shieldly.io/iam/glossary/principal): A principal is an entity that can make a request to AWS — an IAM user, an IAM role session, a federated user, or an AWS service acting on your behalf. - [Attribute-Based Access Control (ABAC)](https://www.shieldly.io/iam/glossary/abac): ABAC is an authorization model where access is granted based on tags (attributes) on principals and resources rather than on static lists of resource ARNs. - [IAM Access Advisor (Last Accessed)](https://www.shieldly.io/iam/glossary/access-advisor): Access Advisor reports the services a principal is allowed to use and when each was last accessed, making it the primary signal for removing unused permissions. - [NotAction Element](https://www.shieldly.io/iam/glossary/notaction): NotAction matches every action except the ones listed, so it is an inverted action set that is easy to misread as a denial. - [Wildcard Action](https://www.shieldly.io/iam/glossary/wildcard-action): A wildcard action uses an asterisk to match many or all actions, with Action set to "*" granting every action in AWS. - [IAM Access Key](https://www.shieldly.io/iam/glossary/access-key): An access key is a long-lived credential pair (access key ID and secret access key) used to authenticate programmatic requests to AWS as an IAM user. - [IAM Multi-Factor Authentication (MFA)](https://www.shieldly.io/iam/glossary/mfa): MFA adds a second authentication factor on top of a password or access pattern, so a stolen credential alone is not enough to act. - [AWS Account Root User](https://www.shieldly.io/iam/glossary/root-user): The root user is the identity created with the AWS account that has unrestricted access to every resource and cannot be limited by IAM policies. - [IAM Credential Report](https://www.shieldly.io/iam/glossary/credential-report): The credential report is an account-level CSV listing every IAM user and the status of their passwords, access keys, and MFA devices. - [IAM Policy Simulator](https://www.shieldly.io/iam/glossary/policy-simulator): The IAM policy simulator evaluates whether a given principal would be allowed or denied a specific action, without making a real request. - [iam:PassRole](https://www.shieldly.io/iam/glossary/passrole): iam:PassRole is the IAM permission that lets a principal hand an existing IAM role to an AWS service, so the service can act as that role. - [Confused Deputy Problem](https://www.shieldly.io/iam/glossary/confused-deputy): The confused deputy problem is when a more-privileged service can be tricked into using its own permissions to act on a resource the caller should not have access to. - [IMDSv2 (Instance Metadata Service v2)](https://www.shieldly.io/iam/glossary/imdsv2): IMDSv2 is the session-oriented, token-required version of the EC2 instance metadata service, designed to make remote theft of an instance role's credentials much harder. ## Comparisons - [Shieldly vs Prowler](https://www.shieldly.io/compare/prowler) - [Shieldly vs Checkov](https://www.shieldly.io/compare/checkov) - [Shieldly vs ScoutSuite](https://www.shieldly.io/compare/scoutsuite) - [Shieldly vs Steampipe](https://www.shieldly.io/compare/steampipe) - [Shieldly vs PMapper](https://www.shieldly.io/compare/pmapper) - [Shieldly vs AWS IAM Access Analyzer](https://www.shieldly.io/compare/iam-access-analyzer) - [Shieldly vs AWS Config](https://www.shieldly.io/compare/aws-config) - [Shieldly vs AWS Security Hub](https://www.shieldly.io/compare/aws-security-hub) - [Shieldly vs Cloudsplaining](https://www.shieldly.io/compare/cloudsplaining) - [Shieldly vs Snyk IaC](https://www.shieldly.io/compare/snyk-iac) - [Shieldly vs Trivy](https://www.shieldly.io/compare/trivy) - [Shieldly vs Cloud Custodian](https://www.shieldly.io/compare/cloud-custodian) - [Shieldly vs Wiz](https://www.shieldly.io/compare/wiz) ## Blog - [How to Check AWS IAM Policy Risks](https://www.shieldly.io/blog/how-to-check-aws-iam-policy-risks) - [AWS IAM Privilege Escalation](https://www.shieldly.io/blog/aws-iam-privilege-escalation) - [AWS IAM Least Privilege](https://www.shieldly.io/blog/aws-iam-least-privilege) - [AWS IAM Wildcard Policies](https://www.shieldly.io/blog/aws-iam-wildcard-policies) - [iam:PassRole Explained](https://www.shieldly.io/blog/aws-iam-passrole) - [AWS IAM Trust Policies](https://www.shieldly.io/blog/aws-iam-trust-policy) - [AWS IAM Permission Boundaries](https://www.shieldly.io/blog/aws-iam-permission-boundaries) - [NotAction vs Explicit Deny](https://www.shieldly.io/blog/aws-iam-notaction-vs-deny) - [ExternalId and the Confused Deputy Problem](https://www.shieldly.io/blog/aws-iam-externalid-confused-deputy) - [Common AWS IAM Misconfigurations](https://www.shieldly.io/blog/aws-iam-misconfigurations) - [AWS S3 Bucket Policy Security](https://www.shieldly.io/blog/aws-s3-bucket-policy-security) - [CloudFormation IAM Security](https://www.shieldly.io/blog/aws-cloudformation-iam-security) - [Gating IAM Changes in Pull Requests](https://www.shieldly.io/blog/gate-iam-pull-requests)