Stats
Actions
Tags
From iam-policy-validator
Validate, analyze, and query AWS IAM policies via CLI. Runs 22 built-in checks on identity, resource, trust policies, SCPs, and RCPs; detects wildcard actions, privilege escalation, confused deputy issues; queries AWS service actions, condition keys, and ARNs; exports findings as JSON for PR review.
How this skill is triggered — by the user, by Claude, or both
Slash command
/iam-policy-validator:iam-policy-validator [validate|query|analyze] <policy-path|dir> [--config <file>] [--export-json <file>][validate|query|analyze] <policy-path|dir> [--config <file>] [--export-json <file>]The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Validate AWS IAM policies against 22 built-in checks and query AWS service definitions. Self-contained: needs only the CLI (`uvx`, no install) plus Python 3.10+.
references/advanced-flags.mdreferences/checks.mdreferences/ci-integration.mdreferences/common-mistakes.mdreferences/configuration.mdreferences/output-formats.mdreferences/pr-review-handoff.mdreferences/querying.mdreferences/troubleshooting.mdreferences/verification-protocol.mdscripts/render_pr_comments.pyValidate AWS IAM policies against 22 built-in checks and query AWS service definitions. Self-contained: needs only the CLI (uvx, no install) plus Python 3.10+.
Home: https://github.com/boogy/iam-policy-validator · Docs: https://boogy.github.io/iam-policy-validator/
| Goal | Command |
|---|---|
| Validate a policy file or directory | iam-validator validate --path <path> |
| Validate and post findings to a PR | validate --format json -> verify -> post-to-pr (see below) |
| Query AWS actions, ARNs, conditions | iam-validator query action|arn|condition --service <svc> |
| Run AWS IAM Access Analyzer | iam-validator analyze --path <path> |
| Manage the AWS service cache | iam-validator cache info|clear|refresh|prefetch |
| Pre-download for offline/CI | iam-validator sync-services --output-dir ./aws_services/ |
| Generate shell completions | iam-validator completion bash|zsh |
# Scan one file (no install needed)
uvx iam-policy-validator validate --path policy.json
# Scan a directory recursively
uvx iam-policy-validator validate --path ./policies/
# Trust policy (auto-detect works, but explicit is safer)
uvx iam-policy-validator validate --path trust.json --policy-type TRUST_POLICY
# JSON output for scripting or PR handoff
uvx iam-policy-validator validate --path ./policies/ --format json --output findings.json
| Skill argument | Maps to CLI |
|---|---|
validate (default) | iam-validator validate --path <path> |
query | iam-validator query ... — see references/querying.md |
analyze | iam-validator analyze --path <path> (AWS IAM Access Analyzer) |
--config <file> | --config <file> (forwarded verbatim; YAML) |
--export-json <file> | --format json --output <file>, then hand off — do NOT post |
Defaults: no verb -> validate. With --export-json, follow the PR handoff and never post comments directly.
uvx iam-policy-validator validate --path policy.json # preferred, no install
uv add iam-policy-validator # or: pip install iam-policy-validator
iam-validator --version
Do not install the [mcp] extra — this skill is CLI-only.
post-to-pr (simpler)iam-validator validate --path ./policies/ --format json --output report.json
iam-validator post-to-pr --report report.json
Posts all findings. Good for CI where you trust the validator's output. See references/ci-integration.md.
# 1. Export findings
iam-validator validate --path ./policies/ --format json --output findings.json
# 2. Verify each finding with query (see verification-protocol.md)
iam-validator query action --name <svc:Action> --has-condition-key <key>
# 3. Render verified findings
python3 scripts/render_pr_comments.py findings.json --format json > comments.json
# 4. Post from a separate agent
Full protocol: references/pr-review-handoff.md. Verification checklist: references/verification-protocol.md.
| Code | Meaning |
|---|---|
0 | No error-severity findings (warnings may still exist) |
| non-zero | Error-severity findings, or --fail-on-warnings + warnings, or CLI error |
Read stderr and findings before drawing conclusions. A non-zero exit does not necessarily mean the policy is dangerous.
IDENTITY_POLICY (default), RESOURCE_POLICY, TRUST_POLICY, SERVICE_CONTROL_POLICY, RESOURCE_CONTROL_POLICY — auto-detected when --policy-type is omitted. Pass it explicitly for trust, resource, SCP, or RCP documents to avoid false positives.
--ci, post-to-pr, --github-*, --comment-tag, PR workflows--stdin, --custom-checks-dir, --stream, completion, and moreFor authoritative per-check detail, see https://boogy.github.io/iam-policy-validator/user-guide/checks/ rather than inventing specifics.
iam-validator <cmd> --help; don't fabricate them.uvx over global installs; ask before changing the environment.--policy-type for non-identity policies to avoid false positives.npx claudepluginhub boogy/iam-policy-validator --plugin iam-policy-validatorCorrects AI mistakes on AWS IAM pitfalls: policy evaluation edge cases, STS session limits, Organizations quirks, SAML/MFA specifics. Use when working with IAM roles, policies, STS, Organizations.
Reviews and hardens AWS IAM policies for least privilege, detects wildcard actions, inline policies, MFA status, and old access keys via AWS CLI scripts.
Reviews AWS IAM identity policies, trust policies, resource policies, permission boundaries, SCPs, session policies, role design, pass-role, federation, and Access Analyzer findings for least-privilege risk.