Free AWS Security Whitepaper
    Toc Consulting Logo
    Back to all tools

    IAM Security Scanner

    Production-ready IAM security scanner with privilege escalation detection and multi-framework compliance mapping

    A comprehensive AWS IAM security scanner with 44 security checks across 7 categories and compliance mapping for AWS FSBP, CIS, PCI DSS, HIPAA, SOC 2, ISO 27001/27017/27018, GDPR, and NIST SP 800-53 Rev5 (10 frameworks, 128 controls total). Features multi-threaded scanning, privilege escalation chain detection across 22 documented paths, and cross-account trust analysis.

    View on GitHub

    Features

    Security Analysis (7 categories, 44 checks)

    • User & Credential: root keys, root/user MFA, access-key rotation, unused credentials
    • Password Policy: length >= 14, complexity, reuse prevention, max-age <= 90 days
    • Managed & Inline Policies: *:* admin, wildcard actions, iam:PassRole on *
    • Role Security: admin roles, wildcard trust principals, unused roles
    • Group & Account Settings: admin/empty groups, Access Analyzer, support role
    • Privilege Escalation & Trust: 22 privesc paths, cross-account confused-deputy

    Compliance

    • AWS FSBP (22 controls)
    • CIS AWS Foundations v5.0.0 (13 controls)
    • PCI DSS v4.0.1 (12 controls)
    • HIPAA Security Rule (11 controls)
    • SOC 2 (14 controls)
    • ISO 27001/27017/27018
    • GDPR (8 controls), NIST 800-53 Rev5 (21 controls)

    Output

    • Security score 0-100 with severity-weighted deductions
    • JSON, CSV, HTML reports
    • Interactive Chart.js dashboards
    • Read-only: every API call is list/get/generate-report

    Installation & Usage

    PyPI Installation

    pip install iam-security-scanner

    Docker

    docker pull tarekcheikh/iam-security-scanner:latest

    Commands

    # Scan IAM in the account
iam-security-scanner security


# Scan with a specific profile / region
iam-security-scanner security --profile production -r eu-west-1


# Compliance report only, JSON output
iam-security-scanner security --compliance-only -f json

    Security Checks

    Root Account Has Active Access KeysCRITICAL
    Root Account Without MFACRITICAL
    Role Trust Policy With Wildcard PrincipalCRITICAL
    Policy Enabling Privilege EscalationCRITICAL
    Console Users Without MFAHIGH
    AdministratorAccess Attached Directly to UsersHIGH
    Policy Allowing iam:PassRole on *HIGH
    IAM Access Analyzer Has Active FindingsHIGH
    Access Keys Older Than 90 DaysMEDIUM
    Password Policy Minimum Length Under 14MEDIUM

    Compliance Frameworks

    22 controls
    AWS FSBP
    13 controls
    CIS AWS Foundations v5.0.0
    12 controls
    PCI DSS v4.0.1
    11 controls
    HIPAA Security Rule
    14 controls
    SOC 2
    13 controls
    ISO 27001:2022
    8 controls
    GDPR
    21 controls
    NIST 800-53 Rev5

    Need Help Implementing?

    We can help you deploy and customize this tool for your specific needs, or build custom solutions.

    Contact Us