Automated security analysis tool for IAM policies across cloud providers and identity systems
Project description
๐ IAM Policy Analyzer
Automated security analysis for IAM policies across cloud providers and identity systems.
Every organization has IAM policies full of vulnerabilities, conflicts, and dead code. Most organizations don't know about them until something breaksโor worse, until a security incident. This tool finds them in seconds.
๐ฏ What It Does
IAM Policy Analyzer automatically scans your policies and reports:
- Wildcard permissions that violate least privilege
- Admin access granted to non-admin users
- Sensitive actions without MFA (e.g., DeleteUser, DisableKey)
- Missing security boundaries that enable privilege escalation
- Hardcoded credentials that could leak secrets
- Over-permission that should be restricted
- Deprecated APIs you should migrate away from
- And 12+ more checks covering common IAM mistakes
โก Quick Start
Install
pip install iam-policy-analyzer
Or from source:
git clone https://github.com/xamitgupta/iam-policy-analyzer.git
cd iam-policy-analyzer
pip install -e .
Analyze a Policy
# Analyze a single policy
iam-analyzer analyze my-policy.json
# Filter by severity
iam-analyzer analyze policy.yaml --min-severity HIGH
# Show detailed findings
iam-analyzer analyze policy.json --details
# Export as JSON
iam-analyzer analyze policy.json --format json > results.json
# Analyze entire directory
iam-analyzer batch ./policies/ --output results.json
๐ Example Output
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ IAM Policy Analyzer โ
โ Automated security analysis for identity policies โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Analyzing: example-policy.json
๐ Analysis Summary
Total Findings 3
CRITICAL 1
HIGH 2
MEDIUM 0
LOW 0
INFO 0
๐ Findings (3)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. CRITICAL โ
โ โ
โ ID: IAM-002 โ
โ Name: Wildcard Action Detected โ
โ Resource: AdminRole โ
โ โ
โ Issue: โ
โ Policy allows all actions (*), granting excessive โ
โ permissions โ
โ โ
โ Remediation: โ
โ Replace wildcard actions with specific, necessary โ
โ permissions. Example: Use 's3:GetObject' instead โ
โ of 's3:*' โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Supported Checks
| Check ID | Name | Severity | Description |
|---|---|---|---|
| IAM-001 | Wildcard Principal | CRITICAL | Policy grants access to all principals (*) |
| IAM-002 | Wildcard Action | CRITICAL | Policy allows all actions (*) |
| IAM-003 | Wildcard Resource | HIGH | Policy grants access to all resources (*) |
| IAM-004 | Admin Access | CRITICAL | Policy grants administrative permissions |
| IAM-005 | Missing MFA | HIGH | Sensitive actions without MFA requirement |
| IAM-006 | Credential Exposure | CRITICAL | Hardcoded credentials detected |
| IAM-007 | Overly Permissive PassRole | HIGH | PassRole without resource restrictions |
| IAM-008 | No Permission Boundary | MEDIUM | Missing permission boundary enforcement |
| IAM-009 | Unencrypted Data Access | MEDIUM | S3 access without encryption requirement |
| IAM-010 | Deprecated API | LOW | Usage of deprecated/legacy APIs |
| IAM-011 | No Resource Tags | MEDIUM | Missing tag-based access control |
| IAM-012 | No Deny Statements | LOW | Policy lacks explicit Deny statements |
๐ Supported Formats
- AWS IAM - Policy documents, inline policies, managed policies
- Okta - Access policies and rules
- Azure AD - Role definitions and permission assignments
- GCP - IAM policies and custom roles
- Generic JSON/YAML - Flexible structure for custom systems
๐ Advanced Usage
Integrate with CI/CD
# GitHub Actions example
- name: Analyze IAM Policies
uses: xamitgupta/iam-policy-analyzer@v0.1.0
with:
policy-dir: ./policies/
fail-on-critical: true
Python API
from iam_policy_analyzer import IAMAnalyzer
analyzer = IAMAnalyzer()
# Analyze a file
result = analyzer.analyze_file("my-policy.json")
# Check findings
for finding in result.findings:
print(f"{finding.severity}: {finding.message}")
print(f"Remediation: {finding.remediation}")
# Filter by severity
critical_findings = [f for f in result.findings
if f.severity == Severity.CRITICAL]
Custom Checks
Extend the analyzer with your own security checks:
from iam_policy_analyzer.checks import PolicyCheck
from iam_policy_analyzer.models import Finding, Severity
class MyCustomCheck(PolicyCheck):
check_id = "CUSTOM-001"
check_name = "My Custom Check"
severity = Severity.MEDIUM
def analyze(self, policy):
findings = []
# Your check logic here
if some_violation:
findings.append(self._create_finding(
message="Your message",
affected_resource=policy.name,
remediation="How to fix it"
))
return findings
๐ Real-World Examples
Example 1: Admin Policy with Wildcards
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*"
}]
}
Findings:
- โ IAM-001: Wildcard Principal (CRITICAL)
- โ IAM-002: Wildcard Action (CRITICAL)
- โ IAM-003: Wildcard Resource (HIGH)
Remediation: Specify exact principals, actions, and resources.
Example 2: Sensitive Actions Without MFA
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:user/bob"},
"Action": "iam:DeleteUser",
"Resource": "*"
}]
}
Findings:
- โ IAM-005: Sensitive Action Without MFA (HIGH)
Remediation: Add MFA requirement to the condition.
๐ค Contributing
Contributions are welcome! Areas to help:
- Adding new security checks
- Supporting additional policy formats
- Improving documentation
- GitHub Actions integration
- Bug reports and feature requests
See CONTRIBUTING.md for details.
๐ Documentation
๐ Resources
๐ License
MIT License - see LICENSE for details.
๐จโ๐ป Author
Amit Gupta
Found an issue? Report it on GitHub
Have an idea? Start a discussion
Like this tool? Please โญ star the repo!
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file iam_policy_analyzer-0.1.0.tar.gz.
File metadata
- Download URL: iam_policy_analyzer-0.1.0.tar.gz
- Upload date:
- Size: 17.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c3e7346b68175805ff83d2e5b8cf682c36d068b1b3401ecb993470b3eca95f5e
|
|
| MD5 |
4734ca16698255a9760e3364e471a142
|
|
| BLAKE2b-256 |
b6d6be671216452480f5fabe711128577c8f4ad5e7e948151d63826e0b0adbff
|
File details
Details for the file iam_policy_analyzer-0.1.0-py3-none-any.whl.
File metadata
- Download URL: iam_policy_analyzer-0.1.0-py3-none-any.whl
- Upload date:
- Size: 17.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ff4776e960aafa72987149162a50ffef471169a571917e2c7a4d930717521ba5
|
|
| MD5 |
ed7c8fa0edd8f5be10ecc68d36a7527b
|
|
| BLAKE2b-256 |
03338d0350a98ebecf88776277e7c24ab425845384b9e17c589432593cbf015a
|