IAM Policy Validator

Stop IAM misconfigurations before they become breaches — Catch overprivileged permissions, dangerous wildcards, and policy errors before deployment.

Full Documentation

Why This Tool Exists
Quick Start
What Makes This Different
What Does It Check?
Installation & Usage
MCP Server
Claude Code Skill
AWS Access Analyzer (Optional)
Comparison with Other Tools
Documentation
Contributing
License

Why This Tool Exists

Security teams need to enforce organization-specific IAM requirements and catch dangerous patterns before policies reach production. Manual review doesn't scale, and AWS's built-in validation in IAM console only checks more syntax and less security.

Real problems this detects:

Privilege escalation chains - Scattered actions that together grant admin access
Broken automation - Syntactically valid but functionally wrong policies (s3:GetObject on bucket ARN)
Missing security controls - No IAM conditions for sensitive AWS API actions
Overly permissive access - Wildcard actions and resources that violate least privilege
Trust policy vulnerabilities - Confused deputy risks, incorrect principals, missing OIDC audience, SAML misconfiguration
Typos and invalid syntax - Invalid actions (s3:GetObjekt), condition keys, or ARN formats before deployment
Your own detection - Set custom configuration file for custom detections

Quick Start

pip install iam-policy-validator

# Try it with the example policies (from repository root)
iam-validator validate --path examples/quick-start/ --format enhanced

See the example policies used (examples/quick-start/)

user-policy.json - Contains typo and missing condition:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObjekt",
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::123456789012:role/lambda-role"
    }
  ]
}

s3-policy.json - Sensitive action without conditions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

lambda-policy.json - Valid policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
    }
  ]
}

See the example output

╭──────────────────────────────────────────────────────────────────────────────────────────────────╮
│                                                                                                  │
│                                  IAM Policy Validation Report                                    │
│                                                                                                  │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
───────────────────────────────────────── Detailed Results ─────────────────────────────────────────
❌ [1/3] examples/quick-start/user-policy.json • INVALID (IAM errors + security issues)
     2 issue(s) found

iam-policy-validator

Popularity

What's Inside

README