Stats
Actions
Tags
From localstack
Analyze and enforce IAM policies in LocalStack. Detect permission violations, auto-generate least-privilege policies, and test policies locally before deploying to AWS.
How this skill is triggered — by the user, by Claude, or both
Slash command
/localstack:iam-policy-analyzerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze IAM policies, detect permission violations, and automatically generate least-privilege policies based on actual usage.
Analyze IAM policies, detect permission violations, and automatically generate least-privilege policies based on actual usage.
IAM enforcement requires LocalStack Pro:
export LOCALSTACK_AUTH_TOKEN=<your-token>
# Soft mode - logs violations but allows requests
ENFORCE_IAM=soft localstack start -d
# Enforced mode - denies unauthorized requests
ENFORCE_IAM=1 localstack start -d
| Mode | Behavior |
|---|---|
| Disabled (default) | No IAM checks |
soft | Logs violations, allows requests |
1 / enforced | Full enforcement, denies unauthorized |
# Create user
awslocal iam create-user --user-name dev-user
# Create access key
awslocal iam create-access-key --user-name dev-user
# Attach policy
awslocal iam attach-user-policy \
--user-name dev-user \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
# Create policy from JSON file
awslocal iam create-policy \
--policy-name my-custom-policy \
--policy-document file://policy.json
# Example policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
# View IAM-related log entries
localstack logs | grep -i "access denied"
localstack logs | grep -i "iam"
Based on access patterns observed in soft mode, create least-privilege policies:
ENFORCE_IAM=soft# Test if action would be allowed
awslocal iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::000000000000:user/dev-user \
--action-names s3:GetObject \
--resource-arns arn:aws:s3:::my-bucket/file.txt
# Check policy syntax
awslocal accessanalyzer validate-policy \
--policy-document file://policy.json \
--policy-type IDENTITY_POLICY
npx claudepluginhub localstack/skills --plugin localstackValidate, analyze, and query AWS IAM policies via CLI. Runs 22 built-in checks on identity, resource, trust policies, SCPs, and RCPs; detects wildcard actions, privilege escalation, confused deputy issues; queries AWS service actions, condition keys, and ARNs; exports findings as JSON for PR review.
Corrects AI mistakes on AWS IAM pitfalls: policy evaluation edge cases, STS session limits, Organizations quirks, SAML/MFA specifics. Use when working with IAM roles, policies, STS, Organizations.
Reviews and hardens AWS IAM policies, enforces least privilege, audits MFA enforcement, and manages access keys. Use for tightening IAM security and reducing over-permissive permissions.