Exposure Scanner Scan My Account
Exposure Scanner / AWS IAM

IAM Public Exposure

Are your IAM policies granting access more broadly than intended?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
cross-account-deploy-role
IAM role trust policy allows sts:AssumeRole from Principal: "*" without any conditions
High
legacy-ci-user
IAM user has access keys not rotated in 247 days with AdministratorAccess policy
Medium
dev-readonly-role
IAM role trust policy allows assumption from any account in AWS organization without external ID

What does AWS IAM public exposure mean?

IAM exposure means roles, policies, or resource-based policies that grant access to external accounts, any AWS principal, or any authenticated AWS user - often through Principal: "*" or overly broad trust policies.

Why it matters

IAM is the foundation of AWS security. Overly permissive IAM policies can allow anyone with an AWS account to assume your roles, access your resources, or escalate privileges within your environment.

How to check manually

  1. 1Review IAM roles for trust policies with Principal: "*"
  2. 2Check for resource-based policies on S3, SQS, SNS, KMS that allow external access
  3. 3Use IAM Access Analyzer to identify resources shared externally
  4. 4Review IAM credential report for unused access keys

Quick check with AWS CLI

Run IAM Access Analyzer to find external access
aws accessanalyzer list-findings --analyzer-arn YOUR_ANALYZER_ARN --query "findings[?status=='ACTIVE'].{Resource:resource,Type:resourceType,Principal:principal}"
Find IAM roles with trust policies open to all
aws iam list-roles --query "Roles[].{Name:RoleName,TrustPolicy:AssumeRolePolicyDocument}" --output json | python3 -c "import sys,json;[print(r['Name']) for r in json.load(sys.stdin) if '*' in json.dumps(r['TrustPolicy'])]"
Generate and check the IAM credential report
aws iam generate-credential-report && aws iam get-credential-report --query "Content" --output text | base64 -d

Common misconfigurations

Role trust policy allowing any AWS account to assume it
Resource policies with Principal: "*" and no conditions
Access keys that have not been rotated in over 90 days
Inactive IAM users with console access still enabled

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon S3
Are your S3 buckets accessible from the internet?
AWS KMS
Are your encryption keys accessible from outside your account?
AWS Lambda
Are your Lambda functions invocable from outside your account?