starred/AWS-IAM-Policy-Autopilot
1
0
Fork 0
mirror of https://github.com/anupambarik1/AWS-IAM-Policy-Autopilot.git synced 2026-04-27 06:05:56 +03:00
Code Issues Projects Releases Packages Wiki Activity
No description
2 commits 1 branch 0 tags 289 KiB
Find a file
Exact
Barik 93a2101ba8 integration with AWS
2026-01-15 23:11:18 +05:30
.vscode integration with AWS 2026-01-15 23:11:18 +05:30
example first commit 2026-01-15 20:51:24 +05:30
generated-policies first commit 2026-01-15 20:51:24 +05:30
generated-policies-tf first commit 2026-01-15 20:51:24 +05:30
IAM_UI integration with AWS 2026-01-15 23:11:18 +05:30
src integration with AWS 2026-01-15 23:11:18 +05:30
.env.example integration with AWS 2026-01-15 23:11:18 +05:30
.gitignore integration with AWS 2026-01-15 23:11:18 +05:30
AI_OPTIMIZATION_AND_SERVICE_COVERAGE.md first commit 2026-01-15 20:51:24 +05:30
APP_FLOW.md first commit 2026-01-15 20:51:24 +05:30
AWS_INTEGRATION_COMPLETE.md integration with AWS 2026-01-15 23:11:18 +05:30
AWS_INTEGRATION_SETUP.md integration with AWS 2026-01-15 23:11:18 +05:30
AWS_POLICY_OPTIMIZATION.md integration with AWS 2026-01-15 23:11:18 +05:30
END_TO_END_FLOW.md integration with AWS 2026-01-15 23:11:18 +05:30
INTEGRATION_SUMMARY.md first commit 2026-01-15 20:51:24 +05:30
MASTER_DOCUMENTATION.md first commit 2026-01-15 20:51:24 +05:30
package-lock.json integration with AWS 2026-01-15 23:11:18 +05:30
package.json integration with AWS 2026-01-15 23:11:18 +05:30
QUICK_START.md first commit 2026-01-15 20:51:24 +05:30
README.md first commit 2026-01-15 20:51:24 +05:30
README_INTEGRATED.md first commit 2026-01-15 20:51:24 +05:30
README_WEBAPP.md first commit 2026-01-15 20:51:24 +05:30
SETUP_CHECKLIST.md first commit 2026-01-15 20:51:24 +05:30
START_GUIDE.md first commit 2026-01-15 20:51:24 +05:30

README.md

AWS IAM Policy Autopilot

Automatically scan your code and generate AWS IAM policies based on detected service usage patterns.

Features

Code Scanning - Automatically detect AWS service usage in your codebase
Policy Generation - Generate IAM policies in JSON, Terraform, and CloudFormation formats
Least-Privilege Support - Create minimal permission policies
Service Detection - Supports S3, Lambda, DynamoDB, SQS, SNS, CloudWatch, Secrets Manager, SSM, and more
Multiple Output Formats - Generate policies as JSON, Terraform, or CloudFormation
Policy Validation - Validate generated policies for correctness
MCP Integration - Full Model Context Protocol support for Claude and other AI assistants

Installation

# Clone or download the project
cd AWS\ IAM\ Policy\ Autopilot

# Install dependencies
npm install

Quick Start

1. Scan Your Code

npm run scan

This will scan the current directory for AWS service usage patterns.

2. Generate Policies

npm run generate

This generates IAM policies based on detected services and saves them to ./generated-policies

3. Use the CLI

# Get help
node src/cli.js help

# Scan a specific directory
node src/cli.js scan /path/to/code

# Generate policies in specific format
node src/cli.js generate --format terraform

# Generate policy for specific service
node src/cli.js generate --service s3 --operation read

# Analyze code for recommendations
node src/cli.js analyze /path/to/code

Supported AWS Services

The tool currently detects usage of:

  • S3 - GetObject, PutObject, DeleteObject, ListBucket
  • Lambda - InvokeFunction, CreateFunction, UpdateFunctionCode
  • DynamoDB - GetItem, PutItem, UpdateItem, DeleteItem, Query, Scan
  • SQS - SendMessage, ReceiveMessage, DeleteMessage
  • SNS - Publish
  • CloudWatch - PutMetricData, CreateLogGroup, CreateLogStream
  • Secrets Manager - GetSecretValue
  • Systems Manager - GetParameter, PutParameter

API Usage

Use as a Node.js Module

const CodeScanner = require('./src/code-scanner');
const PolicyGenerator = require('./src/policy-generator');

// Scan code
const scanner = new CodeScanner('./src');
scanner.scanDirectory().analyzeFiles();

// Get detected services
const services = scanner.getDetectedServices();

// Generate policies
const generator = new PolicyGenerator();
const policies = generator.generatePolicies(services);

// Output as JSON
policies.forEach(policy => {
  console.log(JSON.stringify(policy.policy, null, 2));
});

Using the MCP Server

const { MCPServer } = require('./src/mcp-server');

const server = new MCPServer();
const tools = server.getTools();

// Process tool calls
const result = await server.processTool('scan-code', {
  path: '/path/to/code'
});

CLI Examples

Generate S3 Read-Only Policy

node src/cli.js generate --service s3 --operation read --format json

Output: generated-policies/s3-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3ReadOnly",
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:GetObjectVersion"],
      "Resource": "*"
    }
  ]
}

Generate Terraform Configuration

node src/cli.js generate --format terraform --output ./terraform

Scan and Analyze

node src/cli.js scan ./src
node src/cli.js analyze ./src

Output Formats

JSON Format

Standard AWS IAM policy document format:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["service:Action"],
      "Resource": "*"
    }
  ]
}

Terraform Format

resource "aws_iam_policy" "s3_policy" {
  name = "S3-policy"
  policy = "{...policy json...}"
}

CloudFormation Format

Resources:
  S3Policy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyName: S3-policy
      PolicyDocument:
        Version: 2012-10-17
        Statement: [...]

Policy Types

Standard Policies

Generated based on detected service usage with all permissions needed.

Least-Privilege Policies

Minimal permissions for specific operations:

const policy = generator.generateLeastPrivilegePolicy(
  'lambda',
  'read'  // read, write, delete, admin
);

Conditional Policies

Policies with conditions (IP-based, time-based, etc.):

const policy = generator.generateConditionalPolicy(
  's3',
  ['s3:GetObject'],
  {
    'IpAddress': {
      'aws:SourceIp': ['192.168.1.0/24']
    }
  }
);

Cross-Account Policies

For multi-account setups:

const policy = generator.generateCrossAccountPolicy(
  ['s3:GetObject'],
  '123456789012'  // external account ID
);

Best Practices

  1. Always review generated policies - AI-generated policies need human review
  2. Use least-privilege - Only grant necessary permissions
  3. Specify resource ARNs - Avoid using wildcards when possible
  4. Use roles not users - Prefer IAM roles over user policies
  5. Enable MFA - Require MFA for sensitive operations
  6. Audit regularly - Use CloudTrail to monitor policy usage
  7. Test thoroughly - Test policies in non-production first

Architecture

src/
├── code-scanner.js          # Code analysis engine
├── policy-generator.js      # IAM policy generation
├── mcp-server.js            # MCP Protocol implementation
├── cli.js                   # Command-line interface
└── index.js                 # Main entry point

MCP Integration

This tool integrates with Claude and other AI assistants via Model Context Protocol:

{
  "servers": {
    "iam-policy-autopilot": {
      "command": "iam-policy-autopilot",
      "args": ["mcp-server"]
    }
  }
}

Available MCP Tools:

  • scan-code - Scan directory for AWS service patterns
  • generate-policies - Generate IAM policies
  • create-role-policy - Create IAM role assume policies
  • create-least-privilege-policy - Generate minimal permission policies
  • validate-policy - Validate policy documents

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Add tests for new functionality
  4. Submit a pull request

License

MIT License - See LICENSE file for details

Support

For issues and questions:

  • Open an issue on GitHub
  • Check the documentation
  • Review examples in the README

Disclaimer

Always review and test generated IAM policies thoroughly before deploying to production. This tool is designed to assist with policy creation, not replace human security review.