New tool detects shadow admin accounts in AWS and Azure environments

CyberArk releases new SkyArk tool for scanning AWS and Azure infrastructure for misconfigured accounts.

SkyArk

Image: CyberArk

Cyber-security firm CyberArk has released today a new free tool that can detect "shadow administrator accounts" inside cloud environments like Amazon Web Services (AWS) and Microsoft Azure.

The new tool, named SkyArk, comes with two components, namely AWStealth and AzureStealth, each for scanning a company's respective AWS and Azure environments.

Both components work by analyzing a company's entire list of AWS or Azure accounts and the permissions assigned to each user, looking for so-called "shadow admins."

The term, rather rare, describes low-level accounts that receive basic permissions that when combined can grant the user broadened or full admin-level access to AWS or Azure infrastructure, but without the user being intended to have so much control.

Furthermore, shadow admins can also be created by accident when companies integrate cloud environments with on-premise assets, resulting in unforeseen interactions and access to data and company resources, in certain scenarios.

awstealth-results.png

AWStealth scan results

Image: CyberArk
azurestealth-results.png

AzureStealth scan results

Image: CyberArk

"While organizations may be familiar with their list of straightforward admin accounts, Shadow Admins are much more difficult to discover due to the thousands of permissions that exist in standard cloud environments (i.e. AWS and Azure each have more than 5,000 different permissions)," CyberArk said today.

"As a result, there are many cases where Shadow Admins might be created," the company said.

The new SkyArk tool has been open-sourced on GitHub today.

The tool comes with the appropriate documentation to get system administrators started.

SkyArk is the second open source tool CyberArk has released this year. In April, the company released SkyWrapper, a tool that can scan AWS infrastructure and detect if hackers have abused self-replicating tokens to maintain access to compromised systems.