Sold by: MTC Group Services
Deployed on AWS
Detects all privileged access mechanisms in AWS environments - not just IAM policies, but server-level backdoors that traditional PAM solutions miss. Scans SSH authorized keys, sudo/sudoers misconfigurations, shadow accounts, UID=0 duplicates, LD_PRELOAD injection, unauthorized setuid binaries, dangerous Linux capabilities, and insecure sshd configurations. 47+ finding types across 15 detection categories. Deploys in your account via one-click CloudFormation -- zero credential sharing, all data stays in your S3 bucket. unauthorized setuid binaries, dangerous Linux capabilities, and insecure sshd configurations. 47+ finding types across 15 detection categories. Deploys in your account via one-click CloudFormation - zero credential sharing, all data stays in your S3 bucket
Overview
AWS Shadow Access Scanner is the first tool to comprehensively detect ALL privileged access mechanisms in AWS environments. While traditional tools focus only on IAM policies, this scanner goes deeper -- detecting server-level privilege backdoors that PAM solutions like CyberArk and BeyondTrust cannot see. WHAT IT DETECTS (47+ finding types across 15 categories): - IAM policy analysis: wildcard permissions, unused access (90+ days), cross-account roles, overprivileged policies - SSH authorized keys: orphaned keys, suspicious patterns, recent additions, service account keys across /home, /root, /var/lib, /opt - Sudo/sudoers misconfigurations: NOPASSWD entries, GTFOBins dangerous commands (vim, find, docker, kubectl), service account privilege escalation - Shadow accounts: UID=0 duplicates, empty passwords, duplicate password hashes, passwd/shadow sync errors - LD_PRELOAD injection: malicious shared libraries in /etc/ld.so.preload and environment variables - Unauthorized setuid binaries: custom root-executing binaries in non-standard locations - Dangerous Linux capabilities: cap_setuid, cap_sys_admin, cap_dac_override on non-standard binaries - Insecure sshd_config: PermitRootLogin, PermitEmptyPasswords HOW IT WORKS: 1. One-click CloudFormation deployment in YOUR AWS account 2. Lambda + Systems Manager (SSM) for agentless scanning -- no agents to install on instances 3. Scans complete in 2-5 minutes for up to 100 EC2 instances 4. Results stored in your S3 bucket with automated email notifications 5. Automated daily/weekly scheduling via EventBridge 6. Built-in finding suppression API for managing known-good configurations ZERO TRUST ARCHITECTURE: - All scanning runs in your AWS account -- no credentials shared with vendor - Read-only operations only -- never modifies your infrastructure - Customer owns all scan data - Minimal IAM permissions (least-privilege) - Encrypted results storage
Highlights
- 47+ detection types across 15 categories - scans both IAM policies AND server-level privileges including SSH keys, sudo configs, shadow accounts, LD_PRELOAD, setuid binaries, and dangerous capabilities that PAM solutions cannot detect
- 100% serverless and agentless - deploys in your AWS account via one-click CloudFormation using Lambda + Systems Manager. No agents to install, no credentials to share, scans complete in 2-5 minutes
- Your data stays yours - all scan results stored in your own S3 bucket with encryption. Zero data exfiltration, full audit trail via CloudWatch and CloudTrail, automated scheduling and email notifications included
Details
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/month |
|---|---|---|
EC2 Instances to Scan | Number of EC2 instances included in your scanning subscription. Each unit covers one EC2 instance for privilege scanning including IAM policies, SSH keys, sudo configurations, shadow accounts, and system hardening checks. Scans run on your chosen schedule (daily, weekly, or custom) | $0.001 |
Vendor refund policy
7-Day Money-Back Guarantee
If you are not satisfied with AWS Shadow Access Scanner within 7 days of your initial subscription, contact us for a full refund.
To request a refund, contact: info@mtcsvc.com.au Please include your AWS Account ID and subscription date.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
Email support: info@mtcsvc.com.au Support includes:
- Deployment assistance and troubleshooting
- Help interpreting scan results and findings
- Guidance on remediation of detected privilege backdoors
- Bug reports and feature requests
Response time: Within 1 business day for all inquiries.
Documentation: Scan results include remediation guidance for each finding type. CloudFormation outputs provide direct links to your S3 results bucket.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Apache Hudi connector with shaded dependencies to work with AWS Glue.
Elevate your AWS experience with Aligned Technology Group’s AWS Catalyst Program. Access a comprehensive suite of value-driven services that streamline cloud operations, optimize expenses, and enhance cloud security and compliance – all with no long-term contracts when you choose Aligned Technology Group as your partner on record. Make the switch with ease and harness the power of senior cloud resources to drive real value for your business.
Accelerate cloud transformation with ServiceNow and AWS. ServiceNow is the AI control tower for business reinvention - run it on AWS to put AI to work at scale.
To purchase ServiceNow products on AWS, please contact your ServiceNow Sales team for your personalized, customized, and confidential Private Offer.
Red Hat Enterprise Linux for AWS (RHEL 10)
Easily connect to Google BigQuery from AWS Glue
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.