Plugin

iam-policy-validator

Name: iam-policy-validator
Author: boogy

Validate and audit AWS IAM policies, trust policies, SCPs, and resource policies in GitHub PRs using the iam-policy-validator CLI. Detect security risks like wildcard actions, privilege escalation, confused deputy, and overly permissive policies, then generate SARIF reports and post findings directly to pull requests.

npx claudepluginhub boogy/iam-policy-validator --plugin iam-policy-validator

Component Overview

Skills

Component Details

Skills (1)

iam-policy-validator

/iam-policy-validator

Validate, analyze, and query AWS IAM policies using the iam-policy-validator CLI. Use this skill when the user asks to check, validate, lint, audit, or find security issues in IAM policies, trust policies, SCPs, RCPs, or resource policies; when they mention wildcard actions, privilege escalation, sensitive actions, confused deputy, or overly permissive policies; when they want to run AWS IAM Access Analyzer, generate a SARIF/Markdown/HTML report from policies, query which AWS actions or condition keys exist for a service, or post IAM findings to a GitHub PR. This is the CLI-based alternative to running the MCP server.

README

IAM Policy Validator

Stop IAM misconfigurations before they become breaches — Catch overprivileged permissions, dangerous wildcards, and policy errors before deployment.

Full Documentation

Why This Tool Exists
Quick Start
What Makes This Different
What Does It Check?
Installation & Usage
MCP Server
Claude Code Skill
AWS Access Analyzer (Optional)
Comparison with Other Tools
Documentation
Contributing
License

Why This Tool Exists

Security teams need to enforce organization-specific IAM requirements and catch dangerous patterns before policies reach production. Manual review doesn't scale, and AWS's built-in validation in IAM console only checks more syntax and less security.

Real problems this detects:

Privilege escalation chains - Scattered actions that together grant admin access
Broken automation - Syntactically valid but functionally wrong policies (s3:GetObject on bucket ARN)
Missing security controls - No IAM conditions for sensitive AWS API actions
Overly permissive access - Wildcard actions and resources that violate least privilege
Trust policy vulnerabilities - Confused deputy risks, incorrect principals, missing OIDC audience, SAML misconfiguration
Typos and invalid syntax - Invalid actions (s3:GetObjekt), condition keys, or ARN formats before deployment
Your own detection - Set custom configuration file for custom detections

Quick Start

pip install iam-policy-validator

# Try it with the example policies (from repository root)
iam-validator validate --path examples/quick-start/ --format enhanced

See the example policies used (examples/quick-start/)

user-policy.json - Contains typo and missing condition:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObjekt",
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::123456789012:role/lambda-role"
    }
  ]
}

s3-policy.json - Sensitive action without conditions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

lambda-policy.json - Valid policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
    }
  ]
}

See the example output

╭──────────────────────────────────────────────────────────────────────────────────────────────────╮
│                                                                                                  │
│                                  IAM Policy Validation Report                                    │
│                                                                                                  │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
───────────────────────────────────────── Detailed Results ─────────────────────────────────────────
❌ [1/3] examples/quick-start/user-policy.json • INVALID (IAM errors + security issues)
     2 issue(s) found

View full README on GitHub

Similar Plugins

access-control-auditor

1.9k

Audit access control implementations

v1.0.0

Stats

Version1.19.0

Stars10

Forks3

MaintenanceExcellent

LicenseMIT

Last CommitMay 1, 2026

AddedApr 22, 2026

Actions

View on GitHub View README Plugin Marketplace JSON Homepage

Available In

iam-policy-validator10

Help us improve

Share bugs, ideas, or general feedback.

Back to Plugins

IAM Policy Validator

Stop IAM misconfigurations before they become breaches — Catch overprivileged permissions, dangerous wildcards, and policy errors before deployment.

Full Documentation

Why This Tool Exists
Quick Start
What Makes This Different
What Does It Check?
Installation & Usage
MCP Server
Claude Code Skill
AWS Access Analyzer (Optional)
Comparison with Other Tools
Documentation
Contributing
License

Why This Tool Exists

Real problems this detects:

Privilege escalation chains - Scattered actions that together grant admin access
Broken automation - Syntactically valid but functionally wrong policies (s3:GetObject on bucket ARN)
Missing security controls - No IAM conditions for sensitive AWS API actions
Overly permissive access - Wildcard actions and resources that violate least privilege
Trust policy vulnerabilities - Confused deputy risks, incorrect principals, missing OIDC audience, SAML misconfiguration
Typos and invalid syntax - Invalid actions (s3:GetObjekt), condition keys, or ARN formats before deployment
Your own detection - Set custom configuration file for custom detections

Quick Start

pip install iam-policy-validator

# Try it with the example policies (from repository root)
iam-validator validate --path examples/quick-start/ --format enhanced

See the example policies used (examples/quick-start/)

user-policy.json - Contains typo and missing condition:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObjekt",
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::123456789012:role/lambda-role"
    }
  ]
}

s3-policy.json - Sensitive action without conditions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

lambda-policy.json - Valid policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
    }
  ]
}

See the example output

╭──────────────────────────────────────────────────────────────────────────────────────────────────╮
│                                                                                                  │
│                                  IAM Policy Validation Report                                    │
│                                                                                                  │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
───────────────────────────────────────── Detailed Results ─────────────────────────────────────────
❌ [1/3] examples/quick-start/user-policy.json • INVALID (IAM errors + security issues)
     2 issue(s) found

iam-policy-validator

Component Overview

Component Details

Skills (1)

README

IAM Policy Validator

Table of Contents

Why This Tool Exists

Quick Start

Similar Plugins

access-control-auditor

Help us improve

Help us improve

iam-policy-validator

Component Overview

Component Details

Skills (1)

README

IAM Policy Validator

Table of Contents

Why This Tool Exists

Quick Start

Similar Plugins

access-control-auditor

Help us improve

aws-inspector

aws-agent-skills

clawdstrike

aws-cost-ops

grc