IAM Policy Autopilot

IAM Policy Autopilot is an open source static code analysis tool that helps you quickly create baseline AWS IAM policies that you can refine as your application evolves. It analyzes your application code locally to generate identity-based policies for application roles, enabling faster IAM policy creation and reducing access troubleshooting time.

Features

Fast

Accelerates development by generating baseline identity-based IAM policies. Your AI coding assistant can analyze AWS SDK calls within your application and automatically create the baseline IAM permissions for your application roles.

Reliable

Deterministic code analysis helps create reliable and valid IAM policies that reduce policy troubleshooting. By using valid policies, you reduce time spent on policy-related debugging and accelerate application deployment by avoiding permission-related delays.

Up-to-date

Stays up to date with the latest AWS services and features so that builders and coding assistants have access to the latest AWS IAM permissions knowledge.

Supported Languages and SDKs

• Go: AWS SDK for Go v2
• Java: AWS SDK for Java v2
• JavaScript: AWS SDK for JavaScript v3
• TypeScript: AWS SDK for JavaScript v3
• Python: Boto3, Botocore

Tools

The MCP server provides tools for:

• generate-policies: Generates complete IAM policy documents from source files
• fix-access-denied: Fix AccessDenied errors by analyzing and optionally applying IAM policy changes

Best Practices

Review and refine policies

IAM Policy Autopilot generates baseline policies to provide a starting point that you can refine as your application matures. Review the generated policies to ensure they align with your security requirements before deploying them.

Use service hints for accurate policies

Use the --service-hints option to specify only the AWS services your application actually uses. This helps IAM Policy Autopilot scope down which SDK calls to analyze and generates more targeted policies.

Understand the scope

IAM Policy Autopilot produces IAM identity-based policies, but doesn't support resource-based policies such as S3 bucket policies or KMS key policies, Resource Control Policies (RCPs), Service Control Policies (SCPs), and permission boundaries.