Merge pull request #346 from michael-kirchner-at/main

Added reference to aws-lint-iam-policies

content/aws/exploitation/Misconfigured_Resource-Based_Policies/index.md

@@ -64,6 +64,17 @@ It is worth noting that there are [many different AWS services/resources](https:
 !!! Note
     [Prowler](https://github.com/prowler-cloud/prowler), an AWS assessment tool, can be used to quickly audit resource policies in an AWS account. Be mindful that it cannot contextualize all [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), and how they affect the account’s security.
 
+## Dumping and analyzing resource-based policies at scale
+
+You can download a copy of all resource-based policies configured in an account and run security linting checks against them using the [aws-lint-iam-policies](https://github.com/welldone-cloud/aws-lint-iam-policies) tool. It performs linting checks using the [AWS IAM Access Analyzer policy validation feature](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html), which also brings along a list of security-focused checks. 
+
+Example invocation:
+```
+python aws_lint_iam_policies.py --scope ACCOUNT --dump-policies
+```
+
+Instead of analyzing a single AWS account, the tool can also target all accounts of an AWS Organization.
+
 ## Resource-Based Policy Evaluation Logic
 
 It is important to note that resource-based policies have a unique quirk when it comes to policy evaluation logic. From the [documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow), “**Depending on the type of principal, an Allow in a resource-based policy can result in a final decision of Allow, even if an implicit deny in an identity-based policy, permissions boundary, or session policy is present [within the same account]**”.