[PR #93] [CLOSED] feat: read only mode as a security guardrail (#92) #225

New issue

Closed

opened 2026-03-15 11:54:29 +03:00 by kerem · 0 comments

kerem commented

2026-03-15 11:54:29 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/awslabs/iam-policy-autopilot/pull/93
Author: @karanjitsingh
Created: 12/19/2025
Status: ❌ Closed

Base: main ← Head: main

📄 Description

Issue #, if available: #92

Description of changes:
Introduces --read-only flag as a security guardrail. currently fix_access_denied is the only tool that mutates policies in customer's account, we should simply disable this tool if read-only flag is set, since generate_policy_for_access_denied already exists, no need for custom logic within fix_access_denied

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/awslabs/iam-policy-autopilot/pull/93 **Author:** [@karanjitsingh](https://github.com/karanjitsingh) **Created:** 12/19/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `main` --- ### 📄 Description *Issue #, if available:* #92 *Description of changes:* Introduces `--read-only` flag as a security guardrail. currently `fix_access_denied` is the only tool that mutates policies in customer's account, we should simply disable this tool if read-only flag is set, since `generate_policy_for_access_denied` already exists, no need for custom logic within `fix_access_denied` By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>