Available on AWS Marketplace

Your Access Analyser Passed. But What About Server Backdoors?

AWS Shadow Access Scanner detects the privileged access mechanisms that AWS native tools, CSPM platforms, and PAM solutions completely miss — SSH backdoors, sudo misconfigurations, shadow root accounts, reverse shells, kernel rootkits, and more.

100% ServerlessAgentlessRead-OnlyCustomer-Owned DataAll AWS Regions

The Blind Spot Where Breaches Happen

AWS Access Analyser, Security Hub, and Config Rules give you IAM visibility. But they are completely blind to server-level privilege escalation on your EC2 instances:

SSH authorized_keys backdoors

An attacker plants a key and has persistent, invisible access. Bypasses MFA, password policies, and all PAM solutions.

Shadow UID=0 accounts

A second root account hidden under an innocent name like systemd-admin. Direct root access, invisible to audits.

Sudo NOPASSWD configurations

Silent privilege escalation from any user-level access to full root. Combined with GTFOBins commands, this is a direct root shell.

Cron job reverse shells

Scheduled tasks that re-establish attacker access, exfiltrate data, or download payloads — surviving reboots and incident response.

Kernel rootkits & LD_PRELOAD injection

System-level compromise that hides processes, files, and network connections from ALL other security tools.

This is the gap between what your IAM policies say and what your servers actually allow. Shadow Access Scanner sees both.

Complete Privilege Visibility in One Automated Workflow

A serverless security tool that scans IAM policies AND server configurations across your entire EC2 fleet. Deploy once via CloudFormation.

95%+ Backdoor Coverage

15 detection categories, 47+ finding types, 20 malicious pattern signatures. SSH keys, sudo configs, shadow accounts, setuid binaries, capabilities, persistence mechanisms, and kernel rootkits.

Zero Data Sharing

Runs 100% inside your AWS account via CloudFormation. All scan results stored in your S3 bucket, encrypted at rest. No customer data is collected or transmitted.

Zero-Agent Deployment

Agentless server scanning via AWS Systems Manager. No software to install or maintain. SSM agent auto-installed on instances with IAM instance profiles.

Smart Alert Management

Multi-select bulk suppression workflow eliminates alert fatigue. Full audit trail of acknowledged risks. Baseline comparison shows only NEW findings.

Automated Daily Monitoring

Scheduled scans via EventBridge — daily, weekly, or custom cron. Email notifications deliver interactive HTML reports. New backdoors detected within 24 hours.

15 Detection Categories. 47+ Finding Types.

20 malicious pattern signatures applied across cron jobs, systemd services, shell profiles, and init scripts.

Authentication Backdoors

9 finding types

Severity: CRITICAL — HIGH

SSH authorized key backdoors
UID=0 shadow accounts
Sudo/wheel group manipulation
Password manipulation & empty passwords
Sudoers NOPASSWD with GTFOBins detection

System Hardening

6 finding types

Severity: CRITICAL — HIGH

LD_PRELOAD injection
Unauthorised setuid binaries
Dangerous Linux capabilities
Insecure sshd_config settings

Persistence Mechanisms

5 finding types

Severity: Variable — CRITICAL

Cron job backdoors
Systemd service/timer persistence
Shell profile modifications
Init script backdoors
Kernel module / rootkit detection

IAM Deep Dive

27+ finding types

Severity: CRITICAL — MEDIUM

Wildcard permissions & admin policies
Cross-account access & trust policies
Unused access & stale credentials
Permission boundary gaps
User-level anti-patterns

What Everyone Else Misses

Detection Capability	AWS Native	CSPM	PAM	Shadow Access Scanner
IAM wildcard policies
SSH authorized_keys
UID=0 duplicate accounts
Sudo NOPASSWD entries
GTFOBins command detection
LD_PRELOAD injection
Unauthorised setuid binaries
Cron job backdoors
Systemd persistence
Kernel module rootkits
Baseline drift detection

Getting Started

Go to the AWS Marketplace product page and click Quick Launch to deploy the CloudFormation stack.

Enter your notification email and configure scan settings. The stack deploys in about 2 minutes.

The first scan runs automatically based on your chosen schedule. Results are stored in your S3 bucket and sent via email.

Go to the AWS Marketplace product page and click Quick Launch to deploy the CloudFormation stack.

Enter your notification email and configure scan settings. The stack deploys in about 2 minutes.

The first scan runs automatically based on your chosen schedule. Results are stored in your S3 bucket and sent via email.

Close the Gap Between IAM and Server Reality

Deploy in 2 minutes. First scan in under 5 minutes. See what your current tools are missing.