IAM Policy Analyzer & Fixer
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
iamarmor
IAM Policy Analyzer & Fixer
Status: Week 3 — CLI + config + PyPI publish
The iamarmor lint CLI is live. Install from PyPI, point it at a Terraform
directory, and get actionable findings in seconds.
Quickstart
# Install (requires Python 3.10+)
pipx install iamarmor
# Lint the current directory
iamarmor lint .
# Lint a specific file
iamarmor lint modules/iam/main.tf
# Machine-readable output for CI pipelines
iamarmor lint . --format json
iamarmor lint exits 0 when clean, 1 when findings meet the fail_on
threshold (default: medium), 2 on usage/config errors, and 3 on
internal errors — making CI integration trivial.
Configuration
Place a .iamarmor.yml in the root of your Terraform repository:
version: 1
severity_threshold: low # report findings at or above this level (default: info)
fail_on: high # exit 1 only for high/critical (default: medium)
rules:
ignore: [IAM004] # skip specific rules
iamarmor auto-discovers the config by walking upward from the linted path
(same pattern as .eslintrc). Use --no-config to skip loading.
See docs/config.md for the full configuration reference.
Pre-commit
Add to your .pre-commit-config.yaml:
repos:
- repo: https://github.com/iam-armor/iamarmor
rev: v0.1.0
hooks:
- id: iamarmor
See docs/pre-commit.md for details.
Default rule pack
iamarmor ships with 10 default IAM rules covering the most common misconfigurations:
| ID | Name | Severity |
|---|---|---|
| IAM001 | No Action: "*" |
High |
| IAM002 | No Resource: "*" with sensitive actions |
High |
| IAM003 | No inline policies | Medium |
| IAM004 | IAM roles must set max_session_duration |
Low |
| IAM005 | No iam:PassRole with Resource: "*" |
High |
| IAM006 | No wildcard Principal in resource-based policies |
High |
| IAM007 | assume_role_policy must specify a concrete principal |
High |
| IAM008 | No NotAction in Allow statements |
Medium |
| IAM009 | No NotResource in Allow statements |
Medium |
| IAM010 | Do not attach AdministratorAccess managed policy |
High |
See STARTER_RULES.md for full documentation of each rule.
Python API
The CLI is the recommended entry point for most users. For embedding iamarmor in other tools, the Python API is also public:
from iamarmor import extract_from_directory, RuleEngine, load_default_rules
resources = extract_from_directory("path/to/terraform/")
engine = RuleEngine(rules=load_default_rules())
findings = engine.run(resources)
for finding in findings:
print(f"[{finding.rule_id}] {finding.severity.value.upper()} — {finding.message}")
Installation (development)
pip install -e ".[dev]"
Running tests
pytest
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file iamarmor-0.1.0.tar.gz.
File metadata
- Download URL: iamarmor-0.1.0.tar.gz
- Upload date:
- Size: 37.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9f254d871cd50d60b4dd90135f1762e3695a04082242555f4853d7cc081f3761
|
|
| MD5 |
239bc6907d0325df384aeae78322fe15
|
|
| BLAKE2b-256 |
2c9df2190299066bd3eceb44180e158619da7659861a3ce12d548b15e09b87be
|
Provenance
The following attestation bundles were made for iamarmor-0.1.0.tar.gz:
Publisher:
publish.yml on iam-armor/iamarmor
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
iamarmor-0.1.0.tar.gz -
Subject digest:
9f254d871cd50d60b4dd90135f1762e3695a04082242555f4853d7cc081f3761 - Sigstore transparency entry: 1413960248
- Sigstore integration time:
-
Permalink:
iam-armor/iamarmor@3ee150bb5f5448682b43b6c1aedca2ea00cd1134 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/iam-armor
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@3ee150bb5f5448682b43b6c1aedca2ea00cd1134 -
Trigger Event:
push
-
Statement type:
File details
Details for the file iamarmor-0.1.0-py3-none-any.whl.
File metadata
- Download URL: iamarmor-0.1.0-py3-none-any.whl
- Upload date:
- Size: 21.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0e755fe19912b8c624fd82c575f33f5f14fe1ff79e64dfaf28a0cdf0946e7ca8
|
|
| MD5 |
addfe305bc59ed6dac3bc284fcd6e367
|
|
| BLAKE2b-256 |
092ec7809c55e72fcade14ea29eb8cab4e31bc1008893f85088795c69b6a8d25
|
Provenance
The following attestation bundles were made for iamarmor-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on iam-armor/iamarmor
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
iamarmor-0.1.0-py3-none-any.whl -
Subject digest:
0e755fe19912b8c624fd82c575f33f5f14fe1ff79e64dfaf28a0cdf0946e7ca8 - Sigstore transparency entry: 1413960345
- Sigstore integration time:
-
Permalink:
iam-armor/iamarmor@3ee150bb5f5448682b43b6c1aedca2ea00cd1134 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/iam-armor
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@3ee150bb5f5448682b43b6c1aedca2ea00cd1134 -
Trigger Event:
push
-
Statement type:
