[GH-ISSUE #153] Improve policy output: merge statements with equivalent resources and sort statements by service name #131

New issue

Open

opened 2026-03-07 19:42:29 +03:00 by kerem · 0 comments

kerem commented 2026-03-07 19:42:29 +03:00

Owner

Copy link

Originally created by @mschlaipfer on GitHub (Feb 18, 2026).
Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/153

Take the following policy

{
  "Policies": [
    {
      "Policy": {
        "Id": "IamPolicyAutopilot",
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kms:Decrypt",
              "kms:GenerateDataKey"
            ],
            "Resource": [
              "arn:aws:kms:*:*:key/*"
            ],
            "Condition": {
              "StringLike": {
                "kms:ViaService": [
                  "s3.*.amazonaws.com"
                ]
              }
            }
          },
          {
            "Effect": "Allow",
            "Action": [
              "s3:GetObject",
              "s3:GetObjectAcl",
              "s3:GetObjectLegalHold",
              "s3:GetObjectRetention",
              "s3:GetObjectTagging",
              "s3:GetObjectVersion",
              "s3:PutObject",
              "s3:PutObjectAcl",
              "s3:PutObjectLegalHold",
              "s3:PutObjectRetention",
              "s3:PutObjectTagging"
            ],
            "Resource": [
              "arn:aws:s3:*:*:accesspoint/*/object/*",
              "arn:aws:s3:::*/*"
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "s3-object-lambda:GetObject",
              "s3-object-lambda:PutObject"
            ],
            "Resource": [
              "arn:aws:s3:*:*:accesspoint/*/object/*",
              "arn:aws:s3:::*/*"
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "dynamodb:PutItem",
              "dynamodb:Query",
              "dynamodb:UpdateItem",
              "dynamodb:WriteDataForReplication"
            ],
            "Resource": [
              "arn:aws:dynamodb:*:*:table/*"
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "kms:Decrypt"
            ],
            "Resource": [
              "arn:aws:kms:*:*:key/*"
            ],
            "Condition": {
              "StringLike": {
                "kms:ViaService": [
                  "dynamodb.*.amazonaws.com"
                ]
              }
            }
          },
          {
            "Effect": "Allow",
            "Action": [
              "s3:ListBucket"
            ],
            "Resource": [
              "arn:aws:s3:*:*:accesspoint/*",
              "arn:aws:s3:::*"
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "s3-object-lambda:ListBucket"
            ],
            "Resource": [
              "arn:aws:s3:*:*:accesspoint/*",
              "arn:aws:s3:::*"
            ]
          }
        ]
      },
      "PolicyType": "Identity"
    }
  ]
}

We should output all kms and all s3 statements next to one another, respectively to make the policies easier to read/review.
Moreover, the s3-object-lambda statements could be merged with the s3 statements since they operate on the same resources, without impact on the permissions granted by the policy.

Originally created by @mschlaipfer on GitHub (Feb 18, 2026). Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/153 Take the following policy ``` { "Policies": [ { "Policy": { "Id": "IamPolicyAutopilot", "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:*:*:key/*" ], "Condition": { "StringLike": { "kms:ViaService": [ "s3.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging" ], "Resource": [ "arn:aws:s3:*:*:accesspoint/*/object/*", "arn:aws:s3:::*/*" ] }, { "Effect": "Allow", "Action": [ "s3-object-lambda:GetObject", "s3-object-lambda:PutObject" ], "Resource": [ "arn:aws:s3:*:*:accesspoint/*/object/*", "arn:aws:s3:::*/*" ] }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:WriteDataForReplication" ], "Resource": [ "arn:aws:dynamodb:*:*:table/*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:*:*:key/*" ], "Condition": { "StringLike": { "kms:ViaService": [ "dynamodb.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:*:*:accesspoint/*", "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": [ "s3-object-lambda:ListBucket" ], "Resource": [ "arn:aws:s3:*:*:accesspoint/*", "arn:aws:s3:::*" ] } ] }, "PolicyType": "Identity" } ] } ``` We should output all `kms` and all `s3` statements next to one another, respectively to make the policies easier to read/review. Moreover, the `s3-object-lambda` statements could be merged with the `s3` statements since they operate on the same resources, without impact on the permissions granted by the policy.

kerem added the

enhancement

good first issue

labels 2026-03-07 19:42:29 +03:00

kerem referenced this issue 2026-03-15 11:55:51 +03:00

[PR #131] [MERGED] chore: version fix for 0.1.4 release #251

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

auto/update-submodules-20260419

auto/update-submodules-20260412

auto/update-submodules-20260405

auto/update-submodules-20260329

auto/update-submodules-20260322

auto/update-submodules-20260315

auto/update-submodules-20260308

auto/update-submodules-20260301

auto/update-submodules-20260222

auto/update-submodules-20260215

auto/update-submodules-20260209

auto/update-submodules-20260208

release/0.1.4

release/0.1.3

release/0.1.2

release/0.1.1

0.1.4

0.1.3

0.1.2

0.1.1

Labels

Clear labels   

bug

  

code-quality

  

documentation

  

enhancement

  

good first issue

  

pull-request

Mirrored from GitHub Pull Request

  

tooling

  

tooling

No labels

bug

code-quality

documentation

enhancement

good first issue

pull-request

tooling

tooling

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/iam-policy-autopilot#131

No description provided.