Intelligently optimize AWS SCP JSONs to adhere to strict size, statement, and policy count limits.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tsjnsn from gravatar.com tsjnsn

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Tyler Johnson
  • Requires: Python >=3.13
Classifiers
Report project as malware

Project description

scpz

CI PyPI Python Downloads Ruff Checked with mypy License: MIT

Intelligently optimize AWS Service Control Policy (SCP) JSONs to fit within AWS's strict limits.

AWS SCP Limits

Constraint Limit
Policy size 10,240 bytes
Statements per SCP 5
SCPs per target (account/OU) 10

Requirements

Python 3.13 or later.

Installation

pip install scpz

Or with uv (recommended):

uv tool install scpz

Usage

Optimize

# Optimize a single file in-place (original saved as policy.json.bak)
scpz optimize-cmd policy.json

# Optimize all JSON files in a directory
scpz optimize-cmd policies/

# Dry run — show diff + summary without writing
scpz optimize-cmd policy.json --dry-run

# Summary only — just show what would change
scpz optimize-cmd policy.json --summary-only

# Write to a different file
scpz optimize-cmd policy.json --output optimized.json

# Error instead of auto-splitting
scpz optimize-cmd policy.json --no-split

Validate

# Validate a single file
scpz validate policy.json

# Validate all JSON files in a directory
scpz validate policies/

Optimization Passes

scpz runs the following optimizations in order, repeating until the output stops changing (up to 5 rounds):

  1. Statement merging — Combines statements that share the same Effect, Condition, and Resource into a single statement with a unioned Action list.
  2. Action wildcard compression — Replaces groups of actions sharing a common prefix with wildcard patterns (e.g. s3:GetObject + s3:GetBucketPolicys3:Get*). Uses the bundled AWS action catalog in conservative mode to avoid scope broadening.
  3. Condition merging — Deduplicates condition values and merges equivalent condition blocks.
  4. Resource ARN optimization — Collapses multiple specific ARNs into wildcard patterns (e.g. role/Admin + role/ReadOnlyrole/*).
  5. Redundancy elimination (opt-in) — Removes statements wholly subsumed by another statement in the same policy. Enable with redundancyEliminate.enabled: true in scpz.yaml.

When a policy still exceeds limits after optimization, scpz automatically splits it into multiple SCP documents (up to 10 per target).

Configuration

Place a scpz.yaml in your project root (scpz walks up from the input file to find it). See examples/scpz.yaml for a fully-annotated reference.

apiVersion: scpz.io/v1alpha1
kind: OptimizerConfig
metadata:
  name: default
spec:
  optimizer:
    actionCompress:
      mode: conservative  # conservative | aggressive
    redundancyEliminate:
      enabled: true       # opt-in

# Print the JSON Schema for editor validation
scpz schema

Development

# Install with dev dependencies
uv sync --dev

# Run tests
uv run pytest

# Run tests with coverage
uv run pytest --cov=scpz

# Run a specific test file
uv run pytest tests/test_actions.py -v

# Regenerate the committed schema after model changes
uv run scpz schema -o schema/OptimizerConfig.json

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tsjnsn from gravatar.com tsjnsn

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Tyler Johnson
  • Requires: Python >=3.13
Classifiers

Release history Release notifications | RSS feed

0.2.7

0.2.3

This version

0.2.2

0.2.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

scpz-0.2.2.tar.gz (191.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

scpz-0.2.2-py3-none-any.whl (139.3 kB view details)

Uploaded Python 3

File details

Details for the file scpz-0.2.2.tar.gz.

File metadata

  • Download URL: scpz-0.2.2.tar.gz
  • Upload date:
  • Size: 191.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for scpz-0.2.2.tar.gz
Algorithm Hash digest
SHA256 9bd1861767f3569944bcecaa6a825a6658a4a3feb254375087d99a5829e952e1
MD5 f56e8df74a4a32ecb91f166e1d51de01
BLAKE2b-256 c1cd6423586d4bcc0c9a62efb4f1f5d6fefae5c10d0c00f7b170819d4215965c

See more details on using hashes here.

Provenance

The following attestation bundles were made for scpz-0.2.2.tar.gz:

Publisher: publish.yml on tsjnsn/scpz

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file scpz-0.2.2-py3-none-any.whl.

File metadata

  • Download URL: scpz-0.2.2-py3-none-any.whl
  • Upload date:
  • Size: 139.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for scpz-0.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 3852823911b5c2234959195784753c220fee12af75fad33669672683dae18d9a
MD5 a0ffd65dea8f431dee512f0341eee34e
BLAKE2b-256 fb3e22c2e4f56e50039ce04705ac5ac9bf4007705326a9c0f861d1261f41c0f7

See more details on using hashes here.

Provenance

The following attestation bundles were made for scpz-0.2.2-py3-none-any.whl:

Publisher: publish.yml on tsjnsn/scpz

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page