Free Agent Blast-Radius Analyzer

Paste the IAM policy attached to an AI agent's role or user — Claude Code, an MCP server, a Bedrock agent, anything with AWS credentials — and see its blast-radius grade: what it could destroy, exfiltrate, or escalate to if it went rogue or got compromised. It runs entirely in your browser: nothing is uploaded, nothing is logged.

Runs entirely in your browser — the policy you paste is never sent anywhere or logged. Same rule engine as shieldly agent-scan; install the CLI for auto-discovery, role/profile fetching, CI enforcement, and scan history.

Full rule reference: docs/agent-scan

What this checks (and what it doesn't)

This page runs the same offline rule engine as shieldly agent-scan against the single policy document you paste. It flags destructive actions, privilege escalation, sensitive data access, unconstrained cost-risk actions, and structural wildcards. It does not resolve group memberships, attached managed policies, or permission boundaries — for that, install the CLI and point it at a live role:

npx @shieldly/cli agent-scan --role-arn arn:aws:iam::123456789012:role/my-agent

Install the CLI for full agent scans

Auto-discover every agent config in a project, fetch a live role's attached + inline policies, enforce a permission budget in CI, and get scan history with drift alerts. Free tier included, same price as every other Shieldly plan.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.