{"id":"awslabs-iam-policy-autopilot","name":"iam-policy-autopilot","homepage":null,"repo_url":"https://github.com/awslabs/iam-policy-autopilot","category":"security","subcategories":[],"tags":["aws","iam","security","code-analysis","mcp","cli","policy-generation"],"what_it_does":"IAM Policy Autopilot is an open-source tool (CLI + MCP server) that performs deterministic static analysis of application code to generate baseline AWS IAM identity-based policies (and optionally help fix AccessDenied errors). It targets building/iterating IAM permissions for application roles using local code inspection.","use_cases":["Generate baseline AWS IAM policy documents from application source code (Python/Go/TypeScript).","Use an MCP-enabled AI coding assistant to produce/adjust IAM policies as infrastructure templates are generated.","Debug and remediate AccessDenied errors by analyzing denied actions and proposing IAM policy changes.","Scope IAM analysis using service hints to reduce unnecessary permissions."],"not_for":["Resource-based policies (e.g., S3 bucket policies, KMS key policies), SCPs/RCPs, or permission boundaries.","Correct identification of runtime-dependent resources (e.g., bucket names/ARNs determined only at runtime).","Fully automated production policy deployment without human security review."],"best_when":"You have a relatively deterministic set of AWS SDK calls in the code and you want a fast starting point for IAM identity-based policies that you will review and refine.","avoid_when":"Your required permissions depend heavily on dynamic/runtime resource resolution that cannot be inferred from static analysis, or you need non-identity-based policy types (bucket/KMS policies, SCPs, etc.).","alternatives":["AWS IAM Access Analyzer (use-case specific guidance for policy evaluation).","Manual least-privilege policy authoring (possibly aided by tools like IAM policy generators/internal frameworks).","Other static code analysis/SaaS IAM permission scanners (varies by language and coverage)."],"af_score":50.8,"security_score":59.5,"reliability_score":28.8,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:33:35.775121+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["AWS credentials for AWS CLI/API usage (via AWS CLI configuration and AWS_PROFILE/AWS_REGION in MCP server examples)."],"oauth":false,"scopes":false,"notes":"The MCP server/CLI appears to use AWS credentials to apply/upload/debug policies, but no API-style auth mechanism (API keys/OAuth scopes) is described for the MCP interface itself. Authentication is likely by underlying AWS credential configuration."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Open-source; no hosted pricing details provided in the supplied README/manifest."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":50.8,"security_score":59.5,"reliability_score":28.8,"mcp_server_quality":75.0,"documentation_accuracy":78.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":70.0,"rate_limit_clarity":10.0,"tls_enforcement":60.0,"auth_strength":65.0,"scope_granularity":55.0,"dependency_hygiene":55.0,"secret_handling":60.0,"security_notes":"Security posture appears to rely on AWS credential configuration (not described in detail) and careful human review of generated policies. The README emphasizes reviewing/refining and notes limitations (no resource-based policies; runtime resource inference gaps). The MCP server transport supports stdio (default) or HTTP; TLS usage for HTTP is not specified in the provided content.","uptime_documented":0.0,"version_stability":50.0,"breaking_changes_history":20.0,"error_recovery":45.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Static analysis may over-include permissions when multiple AWS services share similarly named SDK methods; use --service-hints where possible.","The tool does not handle resource-based policies (e.g., S3 bucket policy, KMS key policy) or SCP/RCP/permission boundaries.","Runtime-dependent resource ARNs (e.g., bucket names) may not be inferred, so generated policies may require post-review modifications.","When using the MCP integration, the coding assistant may further modify the policy beyond the static analysis output—review is required before deployment.","fix-access-denied can optionally apply changes (use caution); understand what will be uploaded/applied before granting assistant automation permissions."]}}