Did we truly revoke Alice's permissions? Semdiff will tell you - directly on the PR.
Always know what you're actually granting access to
Use Semdiff for up to 100 analysis runs / month for free.
Semdiff is a terraform static analyzer for AWS. It scans your PRs that contains terraform code, analyzes how that change would affect the permissions of every user, taking into account group memberships, IAM conditions, SCPs and so on, and shows the effective difference as a simple, condensed diff.
One benefit of using Semdiff is speeding up PR reviews. Manual reviews are much easier when you know exactly who gains or loses what permissions. You can also specify rules such as "if no users gain any new permissions then no review is required from security", and semdiff will automatically approve these PRs for you.
The most common cause of data breaches is cloud misconfiguration, usually improper permissions or network security settings. Detecting these at scale requires a deep understanding of how permissions and network security policies are evaluated and how a change would affect your whole infrastructure. This is the power of semantic analysis .
Check out these posts form our blog!