Close-up of stacked binders filled with documents for office or educational use.

How to Detect IAM Policy Shadowing in AWS Using Native Tools

Posted on by Dave Brock

In December 2022, security researchers at Sysdig uncovered real-world cases of privilege escalation via IAM misconfiguration. An attacker exploited an overlooked permission in an AWS environment, allowing them to modify IAM policies. By leveraging the ability to create new policy versions, they granted themselves full administrative access—bypassing intended security controls. This type of shadow IAM permission is exactly what we aim to detect before it becomes a security incident.

In our last post, we introduced IAM Policy Shadowing—when overlapping AWS IAM policies unintentionally override each other, leading to excessive or unintended permissions. Now, let’s take the next step: How do you detect these conflicts before they cause a security incident?

This post will walk through AWS-native tools that help identify IAM policy shadowing, ensuring your access controls work as expected.

1. Understanding How AWS Evaluates Policies

Before jumping into detection, let’s quickly review how AWS IAM evaluates policies:

  • Explicit Deny always takes precedence.
  • Allow permissions are granted if no explicit deny exists.
  • Multiple attached policies are merged, which can result in shadowing.
  • SCPs and Permission Boundaries add another layer of complexity.

Understanding these rules is crucial for spotting unexpected behavior.

2. AWS Tools to Detect IAM Policy Shadowing

AWS provides several built-in tools to analyze IAM policies and their effects:

IAM Policy Simulator

🎯 Best for: Testing how policies apply to a specific user, role, or group.

Steps to Use:

  1. Navigate to IAM Console > Policy Simulator.
  2. Select a user, role, or group.
  3. Add actions (e.g., s3:DeleteBucket).
  4. Run the simulation and check which policy allows or denies the action.
  5. Look for unexpected overrides.

🔎 Pro Tip: Test actions across multiple accounts and roles to uncover unintended permissions.

IAM Access Analyzer

🎯 Best for: Identifying excessive permissions and external access risks.

Steps to Use:

  1. Open AWS IAM > Access Analyzer.
  2. Create an analyzer for your organization or account.
  3. Review the findings to detect unintended access paths.
  4. Investigate policies granting broader-than-expected access.

🔎 Pro Tip: Set up continuous Access Analyzer monitoring to receive alerts on new shadowed permissions.

AWS Config Rules for IAM Policies

🎯 Best for: Continuous compliance checks on IAM policies.

Steps to Use:

  1. Open AWS Config and enable rules.
  2. Select built-in IAM compliance rules (e.g., iam-policy-no-statements-with-admin-access).
  3. Monitor compliance status and investigate failures.

🔎 Pro Tip: Create custom Config rules to flag conflicting IAM policies.

AWS CloudTrail – Tracking Unauthorized Actions

🎯 Best for: Auditing IAM policy shadowing incidents.

Steps to Use:

  1. Navigate to AWS CloudTrail > Event History.
  2. Filter by IAM or security-related actions.
  3. Look for denied requests that should have been allowed—or vice versa.

🔎 Pro Tip: Set up CloudWatch Alarms for high-risk IAM actions like AssumeRole, AttachPolicy, and DetachPolicy.

3. Real-World Example: Diagnosing a Policy Conflict

Imagine you have an IAM Role assigned to engineers. A Service Control Policy (SCP) explicitly denies S3 bucket deletion, but an inline policy attached to their role allows it.

How to Identify the Conflict:

  1. Use the IAM Policy Simulator to test s3:DeleteBucket for the role.
  2. Run AWS Access Analyzer to check if an attached policy overrides the SCP.
  3. Check AWS Config Rules for compliance violations.
  4. Review CloudTrail logs to see if S3 deletions have occurred unexpectedly.

By correlating findings across these tools, you can pinpoint policy shadowing issues before they lead to security breaches.

4. Proactive Measures to Prevent IAM Policy Shadowing

Use least privilege principles – Avoid overly broad permissions in managed policies. ✅ Regularly audit IAM roles and permissions – Use IAM Access Analyzer for automated checks. ✅ Document IAM policy changes – Maintain version control and track updates. ✅ Enable AWS Config and CloudTrail alerts – Detect unauthorized changes in real-time.

What’s Next?

We’ve covered how to detect IAM Policy Shadowing using AWS-native tools. In our next post, we’ll dive into writing secure IAM policies that prevent conflicts from the start.

Stay tuned, and let’s keep our AWS environments secure!

Category: Techniques, Tools

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.