Access Undenied on AWS is a CloudTrail analysis tool that parses AWS AccessDenied events to identify and explain the reasons behind access denials. The tool analyzes CloudTrail events to provide detailed explanations for AccessDenied errors that may not be clear from AWS's standard error messages. It scans the AWS environment to understand the context of access denials and provides actionable remediation suggestions following least-privilege principles. Key capabilities include: - Parsing and analyzing AWS CloudTrail AccessDenied events - Identifying reasons for access denials across AWS services - Providing explanations for unclear AccessDenied messages - Offering least-privilege remediation suggestions - Supporting cross-account asset analysis and Service Control Policies (SCPs) - CLI-based interface for event analysis - Lambda function deployment option The tool outputs structured information including access denial reasons, policies to add for remediation, and explicit deny policies that may be causing issues. It can be installed via pip or from source code and includes commands for analyzing events and retrieving SCPs.