aws-lint-iam-policies

The aws-lint-iam-policies tool addresses the critical security and operational challenge of ensuring AWS IAM policies are free from errors and align with best practices. This tool leverages the AWS IAM Access Analyzer to scrutinize IAM policies across either a single AWS account or all accounts within an AWS Organization.

Technically, the tool reads all supported policy types (currently 34) from the targeted AWS account(s) and utilizes the IAM Access Analyzer API to identify errors, security issues, and recommendations. It performs three key types of checks: AWS IAM Access Analyzer policy validation, public access checks for resource-based policies, and custom checks for trust relationships to other AWS accounts and identity providers. The results are output in a JSON file, providing detailed metadata, including the number of policies analyzed and results collected.

Operationally, running the script within an AWS region (e.g., on EC2 or CloudShell) can significantly reduce execution time due to lower network latency. However, there are limitations; for instance, the script cannot lint policies using other policy languages like Cedar policies, and it does not support delegated administrator accounts for AWS Organizations. Additionally, the minimum IAM permissions required exceed the policy size limit for IAM user inline policies, suggesting the use of managed policies or roles instead.

Specific technical details include the ability to analyze policies in all regions by default, with options to include or exclude specific policy types and accounts. For example, you can run the script to lint policies in a single account using python aws_lint_iam_policies.py --scope ACCOUNT, or across an entire organization with python aws_lint_iam_policies.py --scope ORGANIZATION --member-accounts-role OrganizationAccountAccessRole. The output includes statistics such as the number of policies analyzed and results collected, along with detailed error and warning messages.