Skill

localstack-iam

Analyze and enforce IAM policies in LocalStack. Detect permission violations, auto-generate least-privilege policies, and test policies locally before deploying to AWS.

AWS

security

testing

npx claudepluginhub localstack/skills --plugin localstack

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Analyze IAM policies, detect permission violations, and automatically generate least-privilege policies based on actual usage.

SKILL.md

Similar Skills

aws-iam

533

Corrects AI mistakes on AWS IAM pitfalls: policy evaluation edge cases, STS session limits, Organizations quirks, SAML/MFA specifics. Use when working with IAM roles, policies, STS, Organizations.

aws-core

iam-policy-validator

Validates, analyzes, and queries AWS IAM policies, trust policies, SCPs, and resource policies using iam-policy-validator CLI. Detects security issues like wildcard actions, privilege escalation, confused deputy, and overly permissive policies; generates reports and posts to GitHub PRs.

4 files

iam-policy-validator

aws-iam-best-practices

37.2k

Reviews and hardens AWS IAM policies for least privilege, detects wildcard actions, inline policies, MFA status, and old access keys via AWS CLI scripts.

antigravity-awesome-skills

Stats

Stars10

Forks0

Last CommitFeb 1, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

IAM Policy Analyzer

Analyze IAM policies, detect permission violations, and automatically generate least-privilege policies based on actual usage.

Capabilities

Enforce IAM policies locally
Detect permission violations
Auto-generate policies from access patterns
Analyze existing policies for issues
Test policies before deploying to AWS

Prerequisites

IAM enforcement requires LocalStack Pro:

export LOCALSTACK_AUTH_TOKEN=<your-token>

IAM Enforcement Modes

Enable Enforcement

# Soft mode - logs violations but allows requests
ENFORCE_IAM=soft localstack start -d

# Enforced mode - denies unauthorized requests
ENFORCE_IAM=1 localstack start -d

Configuration

Mode	Behavior
Disabled (default)	No IAM checks
`soft`	Logs violations, allows requests
`1` / `enforced`	Full enforcement, denies unauthorized

Creating IAM Resources

Create a User with Policy

# Create user
awslocal iam create-user --user-name dev-user

# Create access key
awslocal iam create-access-key --user-name dev-user

# Attach policy
awslocal iam attach-user-policy \
  --user-name dev-user \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Create Custom Policy

# Create policy from JSON file
awslocal iam create-policy \
  --policy-name my-custom-policy \
  --policy-document file://policy.json

# Example policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Policy Analysis

Detect Violations

Enable soft enforcement mode
Run your application
Check logs for access denied messages

# View IAM-related log entries
localstack logs | grep -i "access denied"
localstack logs | grep -i "iam"

Auto-Generate Policies

Based on access patterns observed in soft mode, create least-privilege policies:

Run application with ENFORCE_IAM=soft
Collect all accessed resources and actions from logs
Generate minimal policy covering observed access

Testing Policies

Simulate Policy

# Test if action would be allowed
awslocal iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::000000000000:user/dev-user \
  --action-names s3:GetObject \
  --resource-arns arn:aws:s3:::my-bucket/file.txt

Validate Policy

# Check policy syntax
awslocal accessanalyzer validate-policy \
  --policy-document file://policy.json \
  --policy-type IDENTITY_POLICY

Best Practices

Start with soft enforcement to discover required permissions
Use least-privilege principles when creating policies
Test policies locally before deploying to AWS
Regularly audit and refine policies based on actual usage
Use IAM roles instead of users where possible