{"id":"awslabs-iam-policy-autopilot","name":"iam-policy-autopilot","af_score":50.8,"security_score":59.5,"reliability_score":28.8,"what_it_does":"IAM Policy Autopilot is an open-source tool (CLI + MCP server) that performs deterministic static analysis of application code to generate baseline AWS IAM identity-based policies (and optionally help fix AccessDenied errors). It targets building/iterating IAM permissions for application roles using local code inspection.","best_when":"You have a relatively deterministic set of AWS SDK calls in the code and you want a fast starting point for IAM identity-based policies that you will review and refine.","avoid_when":"Your required permissions depend heavily on dynamic/runtime resource resolution that cannot be inferred from static analysis, or you need non-identity-based policy types (bucket/KMS policies, SCPs, etc.).","last_evaluated":"2026-03-30T13:33:35.775121+00:00","has_mcp":true,"has_api":false,"auth_methods":["AWS credentials for AWS CLI/API usage (via AWS CLI configuration and AWS_PROFILE/AWS_REGION in MCP server examples)."],"has_free_tier":false,"known_gotchas":["Static analysis may over-include permissions when multiple AWS services share similarly named SDK methods; use --service-hints where possible.","The tool does not handle resource-based policies (e.g., S3 bucket policy, KMS key policy) or SCP/RCP/permission boundaries.","Runtime-dependent resource ARNs (e.g., bucket names) may not be inferred, so generated policies may require post-review modifications.","When using the MCP integration, the coding assistant may further modify the policy beyond the static analysis output—review is required before deployment.","fix-access-denied can optionally apply changes (use caution); understand what will be uploaded/applied before granting assistant automation permissions."],"error_quality":0.0}