Intelligently optimize AWS SCP JSONs to adhere to strict size, statement, and policy count limits.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tsjnsn from gravatar.com tsjnsn

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Tyler Johnson
  • Requires: Python >=3.13
Classifiers
Report project as malware

Project description

scpz

CI PyPI Python Downloads Ruff Checked with mypy License: MIT

Intelligently optimize AWS Service Control Policy (SCP) JSONs to fit within AWS's strict limits.

AWS SCP Limits

Constraint Limit
Policy size 10,240 bytes
Statements per SCP 5
SCPs per target (account/OU) 10

Requirements

Python 3.13 or later.

Installation

pip install scpz

Or with uv (recommended):

uv tool install scpz

Usage

Optimize

# Optimize a single file in-place (original saved as policy.json.bak)
scpz optimize-cmd policy.json

# Optimize all JSON files in a directory
scpz optimize-cmd policies/

# Dry run — show diff + summary without writing
scpz optimize-cmd policy.json --dry-run

# Summary only — just show what would change
scpz optimize-cmd policy.json --summary-only

# Write to a different file
scpz optimize-cmd policy.json --output optimized.json

# Error instead of auto-splitting
scpz optimize-cmd policy.json --no-split

Validate

# Validate a single file
scpz validate policy.json

# Validate all JSON files in a directory
scpz validate policies/

Optimization Passes

scpz runs the following optimizations in order, repeating until the output stops changing (up to 5 rounds):

  1. Statement merging — Combines statements that share the same Effect, Condition, and Resource into a single statement with a unioned Action list.
  2. Action wildcard compression — Replaces groups of actions sharing a common prefix with wildcard patterns (e.g. s3:GetObject + s3:GetBucketPolicys3:Get*). Uses the bundled AWS action catalog in conservative mode to avoid scope broadening.
  3. Condition merging — Deduplicates condition values and merges equivalent condition blocks.
  4. Resource ARN optimization — Collapses multiple specific ARNs into wildcard patterns (e.g. role/Admin + role/ReadOnlyrole/*).
  5. Redundancy elimination (opt-in) — Removes statements wholly subsumed by another statement in the same policy. Enable with redundancyEliminate.enabled: true in scpz.yaml.

When a policy still exceeds limits after optimization, scpz automatically splits it into multiple SCP documents (up to 10 per target).

Configuration

Place a scpz.yaml in your project root (scpz walks up from the input file to find it). See examples/scpz.yaml for a fully-annotated reference.

apiVersion: scpz.io/v1alpha1
kind: OptimizerConfig
metadata:
  name: default
spec:
  optimizer:
    actionCompress:
      mode: conservative  # conservative | aggressive
    redundancyEliminate:
      enabled: true       # opt-in

# Print the JSON Schema for editor validation
scpz schema

Development

# Install with dev dependencies
uv sync --dev

# Run tests
uv run pytest

# Run tests with coverage
uv run pytest --cov=scpz

# Run a specific test file
uv run pytest tests/test_actions.py -v

# Regenerate the committed schema after model changes
uv run scpz schema -o schema/OptimizerConfig.json

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tsjnsn from gravatar.com tsjnsn

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Tyler Johnson
  • Requires: Python >=3.13
Classifiers

Release history Release notifications | RSS feed

0.2.7

This version

0.2.3

0.2.2

0.2.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

scpz-0.2.3.tar.gz (191.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

scpz-0.2.3-py3-none-any.whl (139.4 kB view details)

Uploaded Python 3

File details

Details for the file scpz-0.2.3.tar.gz.

File metadata

  • Download URL: scpz-0.2.3.tar.gz
  • Upload date:
  • Size: 191.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for scpz-0.2.3.tar.gz
Algorithm Hash digest
SHA256 b51924259faea66ebc0f927123a9f3af41ef5cd60a7cb28ce81b2e00ce53750a
MD5 5529d171e654ea1af490086a443abce8
BLAKE2b-256 20b1ed9287ce5c3dd4110479679cb199b7f842dde87928ba4447bbddc0954b44

See more details on using hashes here.

Provenance

The following attestation bundles were made for scpz-0.2.3.tar.gz:

Publisher: publish.yml on tsjnsn/scpz

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file scpz-0.2.3-py3-none-any.whl.

File metadata

  • Download URL: scpz-0.2.3-py3-none-any.whl
  • Upload date:
  • Size: 139.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for scpz-0.2.3-py3-none-any.whl
Algorithm Hash digest
SHA256 4d118e09ed5db3a3592f6fc7c52d7cccc503d5cd88b93c58ac0760d75e9fb016
MD5 e4109a07a7b45071050b4f138b44ca31
BLAKE2b-256 6e78020c989f9632c1e5cf7272c2a812282262f8c30569466be93d405cb840db

See more details on using hashes here.

Provenance

The following attestation bundles were made for scpz-0.2.3-py3-none-any.whl:

Publisher: publish.yml on tsjnsn/scpz

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page