Skip to main content

Automated security analysis tool for IAM policies across cloud providers and identity systems

Project description

๐Ÿ”’ IAM Policy Analyzer

License: MIT Python 3.8+

Automated security analysis for IAM policies across cloud providers and identity systems.

Every organization has IAM policies full of vulnerabilities, conflicts, and dead code. Most organizations don't know about them until something breaksโ€”or worse, until a security incident. This tool finds them in seconds.

๐ŸŽฏ What It Does

IAM Policy Analyzer automatically scans your policies and reports:

  • Wildcard permissions that violate least privilege
  • Admin access granted to non-admin users
  • Sensitive actions without MFA (e.g., DeleteUser, DisableKey)
  • Missing security boundaries that enable privilege escalation
  • Hardcoded credentials that could leak secrets
  • Over-permission that should be restricted
  • Deprecated APIs you should migrate away from
  • And 12+ more checks covering common IAM mistakes

โšก Quick Start

Install

pip install iam-policy-analyzer

Or from source:

git clone https://github.com/xamitgupta/iam-policy-analyzer.git
cd iam-policy-analyzer
pip install -e .

Analyze a Policy

# Analyze a single policy
iam-analyzer analyze my-policy.json

# Filter by severity
iam-analyzer analyze policy.yaml --min-severity HIGH

# Show detailed findings
iam-analyzer analyze policy.json --details

# Export as JSON
iam-analyzer analyze policy.json --format json > results.json

# Analyze entire directory
iam-analyzer batch ./policies/ --output results.json

๐Ÿ“Š Example Output

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘   ๐Ÿ”’ IAM Policy Analyzer                              โ•‘
โ•‘   Automated security analysis for identity policies   โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Analyzing: example-policy.json

๐Ÿ“Š Analysis Summary
Total Findings        3
CRITICAL              1
HIGH                  2
MEDIUM                0
LOW                   0
INFO                  0

๐Ÿ” Findings (3)

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒ 1. CRITICAL                                          โ”ƒ
โ”ƒ                                                       โ”ƒ
โ”ƒ ID: IAM-002                                          โ”ƒ
โ”ƒ Name: Wildcard Action Detected                       โ”ƒ
โ”ƒ Resource: AdminRole                                  โ”ƒ
โ”ƒ                                                       โ”ƒ
โ”ƒ Issue:                                               โ”ƒ
โ”ƒ Policy allows all actions (*), granting excessive    โ”ƒ
โ”ƒ permissions                                          โ”ƒ
โ”ƒ                                                       โ”ƒ
โ”ƒ Remediation:                                         โ”ƒ
โ”ƒ Replace wildcard actions with specific, necessary    โ”ƒ
โ”ƒ permissions. Example: Use 's3:GetObject' instead     โ”ƒ
โ”ƒ of 's3:*'                                            โ”ƒ
โ”—โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”›

๐Ÿ” Supported Checks

Check ID Name Severity Description
IAM-001 Wildcard Principal CRITICAL Policy grants access to all principals (*)
IAM-002 Wildcard Action CRITICAL Policy allows all actions (*)
IAM-003 Wildcard Resource HIGH Policy grants access to all resources (*)
IAM-004 Admin Access CRITICAL Policy grants administrative permissions
IAM-005 Missing MFA HIGH Sensitive actions without MFA requirement
IAM-006 Credential Exposure CRITICAL Hardcoded credentials detected
IAM-007 Overly Permissive PassRole HIGH PassRole without resource restrictions
IAM-008 No Permission Boundary MEDIUM Missing permission boundary enforcement
IAM-009 Unencrypted Data Access MEDIUM S3 access without encryption requirement
IAM-010 Deprecated API LOW Usage of deprecated/legacy APIs
IAM-011 No Resource Tags MEDIUM Missing tag-based access control
IAM-012 No Deny Statements LOW Policy lacks explicit Deny statements

๐Ÿ“‹ Supported Formats

  • AWS IAM - Policy documents, inline policies, managed policies
  • Okta - Access policies and rules
  • Azure AD - Role definitions and permission assignments
  • GCP - IAM policies and custom roles
  • Generic JSON/YAML - Flexible structure for custom systems

๐Ÿš€ Advanced Usage

Integrate with CI/CD

# GitHub Actions example
- name: Analyze IAM Policies
  uses: xamitgupta/iam-policy-analyzer@v0.1.0
  with:
    policy-dir: ./policies/
    fail-on-critical: true

Python API

from iam_policy_analyzer import IAMAnalyzer

analyzer = IAMAnalyzer()

# Analyze a file
result = analyzer.analyze_file("my-policy.json")

# Check findings
for finding in result.findings:
    print(f"{finding.severity}: {finding.message}")
    print(f"Remediation: {finding.remediation}")

# Filter by severity
critical_findings = [f for f in result.findings 
                     if f.severity == Severity.CRITICAL]

Custom Checks

Extend the analyzer with your own security checks:

from iam_policy_analyzer.checks import PolicyCheck
from iam_policy_analyzer.models import Finding, Severity

class MyCustomCheck(PolicyCheck):
    check_id = "CUSTOM-001"
    check_name = "My Custom Check"
    severity = Severity.MEDIUM
    
    def analyze(self, policy):
        findings = []
        # Your check logic here
        if some_violation:
            findings.append(self._create_finding(
                message="Your message",
                affected_resource=policy.name,
                remediation="How to fix it"
            ))
        return findings

๐Ÿ“ˆ Real-World Examples

Example 1: Admin Policy with Wildcards

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": "*"
  }]
}

Findings:

  • โŒ IAM-001: Wildcard Principal (CRITICAL)
  • โŒ IAM-002: Wildcard Action (CRITICAL)
  • โŒ IAM-003: Wildcard Resource (HIGH)

Remediation: Specify exact principals, actions, and resources.

Example 2: Sensitive Actions Without MFA

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::123456789012:user/bob"},
    "Action": "iam:DeleteUser",
    "Resource": "*"
  }]
}

Findings:

  • โŒ IAM-005: Sensitive Action Without MFA (HIGH)

Remediation: Add MFA requirement to the condition.

๐Ÿค Contributing

Contributions are welcome! Areas to help:

  • Adding new security checks
  • Supporting additional policy formats
  • Improving documentation
  • GitHub Actions integration
  • Bug reports and feature requests

See CONTRIBUTING.md for details.

๐Ÿ“š Documentation

๐Ÿ”— Resources

๐Ÿ“„ License

MIT License - see LICENSE for details.

๐Ÿ‘จโ€๐Ÿ’ป Author

Amit Gupta


Found an issue? Report it on GitHub

Have an idea? Start a discussion

Like this tool? Please โญ star the repo!

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

iam_policy_analyzer-0.1.0.tar.gz (17.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

iam_policy_analyzer-0.1.0-py3-none-any.whl (17.2 kB view details)

Uploaded Python 3

File details

Details for the file iam_policy_analyzer-0.1.0.tar.gz.

File metadata

  • Download URL: iam_policy_analyzer-0.1.0.tar.gz
  • Upload date:
  • Size: 17.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for iam_policy_analyzer-0.1.0.tar.gz
Algorithm Hash digest
SHA256 c3e7346b68175805ff83d2e5b8cf682c36d068b1b3401ecb993470b3eca95f5e
MD5 4734ca16698255a9760e3364e471a142
BLAKE2b-256 b6d6be671216452480f5fabe711128577c8f4ad5e7e948151d63826e0b0adbff

See more details on using hashes here.

File details

Details for the file iam_policy_analyzer-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for iam_policy_analyzer-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ff4776e960aafa72987149162a50ffef471169a571917e2c7a4d930717521ba5
MD5 ed7c8fa0edd8f5be10ecc68d36a7527b
BLAKE2b-256 03338d0350a98ebecf88776277e7c24ab425845384b9e17c589432593cbf015a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page