A tool to validate existing identity and resource policies across regions and supported AWS services with AWS IAM Access Analyzer.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for sjakthol from gravatar.com sjakthol

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

aws-access-analyzer-validator

A tool to validate existing identity and resource policies across regions and supported AWS services with AWS IAM Access Analyzer.

This tool

  • discovers resource and identity policies attached to resources of supported AWS services (see below) in all commercial regions
  • validates these policies with AWS IAM Access Analyzer ValidatePolicy API
  • generates a report with Access Analyzer findings

See examples/sample_report.md for an example.

Usage

  1. Install from PyPI (Python 3.10+ required):
pip install aws-access-analyzer-validator
  1. Execute the tool:
aws-access-analyzer-validator -o report.md
  1. Open report.md to see analysis results.

Arguments

aws-access-analyzer-validator supports the following arguments:

  • --regions - A comma separated list of regions to limit policy validation to. For example, --regions eu-west-1,eu-north-1 limits validation to policies in eu-west-1 and eu-north-1 regions. Global resources (IAM, S3) are scanned regardless of region limitations.

Supported Services / Resources

aws-access-analyzer-validator validates policies from the following services:

  • AWS Identity and Access Management (IAM)
    • Inline policies of IAM users
    • Inline policies of IAM groups
    • Inline policies and trust policy of IAM roles
    • Managed IAM Policies (customer managed)
  • Amazon S3 bucket policies
  • Amazon SQS queue policies
  • Amazon SNS topic policies
  • Amazon Elastic Container Registry (ECR) repository policies

Required Permissions

This tool requires the following permissions to operate:

  • accessanalyzer:ValidatePolicy
  • ecr:DescribeRepositories
  • ecr:GetRepositoryPolicy
  • iam:GetAccountAuthorizationDetails
  • s3:GetBucketPolicy
  • s3:ListAllMyBuckets
  • sns:GetTopicAttributes
  • sns:ListTopics
  • sqs:GetQueueAttributes
  • sqs:ListQueues

Here's an IAM policy that grants the required privileges:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionsForAAValidator",
            "Effect": "Allow",
            "Action": [
                "access-analyzer:ValidatePolicy",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "iam:GetAccountAuthorizationDetails",
                "s3:GetBucketPolicy",
                "s3:ListAllMyBuckets",
                "sns:GetTopicAttributes",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues"
            ],
            "Resource": "*"
        }
    ]
}

Development

Requires Python 3.8+ and uv. Useful commands:

# Run integration tests (requires admin-level AWS credentials)
make test

# Run linters
make -k lint

# Format code
make format

# Deploy test resources (requires AWS CLI and admin level AWS credentials)
make deploy-test-resources

# Delete test resources
make delete-test-resources

Credits

License

MIT.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for sjakthol from gravatar.com sjakthol

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

This version

0.5.0

0.4.0

0.3.1

0.3.0

0.2.1

0.2.0

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws_access_analyzer_validator-0.5.0.tar.gz (6.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

aws_access_analyzer_validator-0.5.0-py3-none-any.whl (7.7 kB view details)

Uploaded Python 3

File details

Details for the file aws_access_analyzer_validator-0.5.0.tar.gz.

File metadata

  • Download URL: aws_access_analyzer_validator-0.5.0.tar.gz
  • Upload date:
  • Size: 6.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.9.11 {"installer":{"name":"uv","version":"0.9.11"},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for aws_access_analyzer_validator-0.5.0.tar.gz
Algorithm Hash digest
SHA256 061ee6f5e556e49a3677d9399d4d7ce49f58f71c4223de9fe9f069901ff08287
MD5 87dc68aa64615785e49f23b8543e30c8
BLAKE2b-256 d02cffdad6925fb2595fedc1e5abfe89c5f8e509c2c5159e6ffb964fb2af8ff3

See more details on using hashes here.

File details

Details for the file aws_access_analyzer_validator-0.5.0-py3-none-any.whl.

File metadata

  • Download URL: aws_access_analyzer_validator-0.5.0-py3-none-any.whl
  • Upload date:
  • Size: 7.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.9.11 {"installer":{"name":"uv","version":"0.9.11"},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for aws_access_analyzer_validator-0.5.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cd79ab7cc3f7068c2a539f0e82185c298a0e5b58f8564a837d7c297afeb3effd
MD5 30acc043aa75557ca497df7bf3ed9062
BLAKE2b-256 1752b9a82e62b67d132e3284af07aadd3172bb41139f7ced6aeed1dc3fb1f080

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page