Intelligently optimize AWS SCP JSONs to adhere to strict size, statement, and policy count limits.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tsjnsn from gravatar.com tsjnsn

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Tyler Johnson
  • Requires: Python >=3.13
Classifiers
Report project as malware

Project description

scpz

CI PyPI Python License: MIT

Intelligently optimize AWS Service Control Policy (SCP) JSONs to fit within AWS's strict limits.

AWS SCP Limits

Constraint Limit
Policy size 10,240 bytes
Statements per SCP 5
SCPs per target (account/OU) 10

Installation

uv pip install -e .

Or for development:

uv sync --dev

Usage

Optimize

# Optimize a single file (in-place with .bak backup)
scpz optimize-cmd policy.json

# Optimize all JSON files in a directory
scpz optimize-cmd policies/

# Dry run — show diff + summary without writing
scpz optimize-cmd policy.json --dry-run

# Summary only — just show what would change
scpz optimize-cmd policy.json --summary-only

# Write to a different file
scpz optimize-cmd policy.json --output optimized.json

# Error instead of auto-splitting
scpz optimize-cmd policy.json --no-split

Validate

# Validate a single file
scpz validate policy.json

# Validate all JSON files in a directory
scpz validate policies/

Optimization Passes

scpz runs the following optimizations in order, repeating until the output stops changing (up to 5 rounds):

  1. Statement merging — Combines statements that share the same Effect, Condition, and Resource into a single statement with a unioned Action list.
  2. Action wildcard compression — Replaces groups of actions sharing a common prefix with wildcard patterns (e.g. s3:GetObject + s3:GetBucketPolicys3:Get*). Uses the bundled AWS action catalog in conservative mode to avoid scope broadening.
  3. Condition merging — Deduplicates condition values and merges equivalent condition blocks.
  4. Resource ARN optimization — Collapses multiple specific ARNs into wildcard patterns (e.g. role/Admin + role/ReadOnlyrole/*).
  5. Redundancy elimination (opt-in) — Removes statements wholly subsumed by another statement in the same policy. Enable with redundancyEliminate.enabled: true in scpz.yaml.

When a policy still exceeds limits after optimization, scpz automatically splits it into multiple SCP documents (up to 10 per target).

Configuration

Place a scpz.yaml in your project root (scpz walks up from the input file to find it). See examples/scpz.yaml for a fully-annotated reference.

apiVersion: scpz.io/v1alpha1
kind: OptimizerConfig
metadata:
  name: default
spec:
  optimizer:
    actionCompress:
      mode: conservative  # conservative | aggressive
    redundancyEliminate:
      enabled: true       # opt-in

# Print the JSON Schema for editor validation
scpz schema

# Regenerate the committed schema after model changes
scpz schema -o schema/OptimizerConfig.json

Development

# Run tests
uv run pytest

# Run tests with coverage
uv run pytest --cov=scpz

# Run a specific test file
uv run pytest tests/test_actions.py -v

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tsjnsn from gravatar.com tsjnsn

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Tyler Johnson
  • Requires: Python >=3.13
Classifiers

Release history Release notifications | RSS feed

0.2.7

0.2.3

0.2.2

This version

0.2.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

scpz-0.2.1.tar.gz (191.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

scpz-0.2.1-py3-none-any.whl (139.1 kB view details)

Uploaded Python 3

File details

Details for the file scpz-0.2.1.tar.gz.

File metadata

  • Download URL: scpz-0.2.1.tar.gz
  • Upload date:
  • Size: 191.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for scpz-0.2.1.tar.gz
Algorithm Hash digest
SHA256 b7a2136a7d97ef064d52fcf6caeb05b6fc71aa5bf2c670925461b6529c9e9278
MD5 d2635ee29f47d4eaad32bf47ce55cf42
BLAKE2b-256 4de9772789d0076130e5332301e9b5ec313dfbf76380f258e2628012712fc00c

See more details on using hashes here.

Provenance

The following attestation bundles were made for scpz-0.2.1.tar.gz:

Publisher: publish.yml on tsjnsn/scpz

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file scpz-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: scpz-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 139.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for scpz-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 46b365e642cb52ccc25b0412aab04098b73de9863cf666463e4dde170212f0a9
MD5 000e56df272d9839bf448a7b618e72aa
BLAKE2b-256 aee657c7ebec88f909b34b2df74c633b0f9624a877523e0d62908d7a09cd2e52

See more details on using hashes here.

Provenance

The following attestation bundles were made for scpz-0.2.1-py3-none-any.whl:

Publisher: publish.yml on tsjnsn/scpz

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page