AWS IAM Policy Analyzer

AWS IAM Policy Analyzer

Paste an IAM policy JSON to surface wildcard risk, action expansion counts, and least-privilege suggestions. Embedded service catalog, no AWS API calls.

IAM policy JSON
Risk Score
100Critical
Actions granted
17,003
Findings (9)
  • critical
    Action "*" grants all AWS actions (matches every AWS action across every service)
    Statement #0
  • critical
    Sensitive action "*" — review carefully
    Statement #0
  • critical
    Resource "*" — applies to every resource
    matches every resource in every region/account
    Statement #0
  • critical
    Action=* with Resource=* effectively grants AdministratorAccess
    Statement #0
  • medium
    Wildcard statement has no Condition block
    Add conditions like aws:SourceIp, aws:MultiFactorAuthPresent, or aws:RequestedRegion to constrain.
    Statement #0
  • high
    Sensitive action "iam:PassRole" — review carefully
    Statement #2
  • high
    Privilege-escalation risk: iam:PassRole
    Required to hand a role to services like EC2/Lambda — pair with strict resource scoping
    Statement #2
  • critical
    Resource "*" — applies to every resource
    matches every resource in every region/account
    Statement #2
  • medium
    Wildcard statement has no Condition block
    Add conditions like aws:SourceIp, aws:MultiFactorAuthPresent, or aws:RequestedRegion to constrain.
    Statement #2
Least-privilege suggestions
  • Replace "*" with the specific action(s) the principal needs
  • Scope Resource down to specific ARNs instead of "*"
  • Add a Condition block (e.g. aws:RequestedRegion, MFA, IP) to wildcard statements
Embedded catalog: 42 AWS services with approximate action counts. Wildcard expansion is an estimate, not a substitute for IAM Access Analyzer.

What This Tool Does

AWS IAM Policy Analyzer is built for deterministic developer and agent workflows.

Paste an IAM policy JSON to surface wildcard warnings, action expansion counts, resource ARN risk scoring, and least-privilege suggestions. Embedded AWS service catalog, runs in your browser.

Use How to Use for execution steps and FAQ for constraints, policies, and edge cases.

Last updated:

This tool is provided as-is for convenience. Output should be verified before use in any production or critical context.

Agent Invocation

Best Path For Builders

Browser workflow

Runs instantly in the browser with private local processing and copy/export-ready output.

Browser Workflow

This tool is optimized for instant in-browser execution with local data handling. Run it here and copy/export the output directly.

/aws-iam-policy-analyzer/

For automation planning, fetch the canonical contract at /api/tool/aws-iam-policy-analyzer.json.

How to Use AWS IAM Policy Analyzer

  1. 1

    Paste a policy JSON

    Drop an IAM policy document into the input pane. It can be an inline policy, a managed policy, or a resource policy with a Principal block. The parser tolerates trailing commas only if your JSON does.

  2. 2

    Read the risk score

    The risk score combines wildcard breadth, sensitive actions, principal openness, and missing condition blocks. Critical scores typically mean Action plus Resource wildcards or admin-equivalent permissions.

  3. 3

    Inspect findings by severity

    Critical findings are urgent: Action equals star with Resource equals star, or a public Principal. High and medium findings highlight privilege-escalation paths and unscoped wildcards inside specific services.

  4. 4

    Apply suggestions

    The least-privilege panel lists concrete swaps: replace s3:* with the specific Get/Put actions used, scope Resource to a bucket ARN, add a Condition block requiring MFA or a source IP range.

  5. 5

    Iterate to a tight policy

    Edit the JSON in place and watch the score drop as you tighten the policy. Aim to get the risk score below 20 before merging. Pair with AWS Access Analyzer in your account for runtime evidence.

Frequently Asked Questions

What is AWS IAM Policy Analyzer?
It analyzes an IAM policy JSON for wildcard risk, expands action wildcards to estimate how many permissions are granted, and surfaces privilege-escalation paths and missing condition blocks. Embedded AWS catalog, browser-only.
How accurate is the action expansion count?
Counts come from a curated catalog of common AWS services. Service totals are accurate; sub-prefix wildcards (s3:Get*) are estimates. Use AWS Access Analyzer for authoritative coverage in your account.
What does the risk score mean?
It is a 0-100 estimate combining wildcard breadth, sensitive actions, public principals, and missing conditions. 80+ is critical (admin-equivalent), 50-79 high, 20-49 moderate, below 20 generally tight.
Does it send my data to a server?
No. Parsing, scoring, and suggestions run entirely in your browser. Your policy JSON, including account IDs and resource ARNs, never leaves your device.
Does it cover resource policies?
Yes. It detects Principal star (anonymous or any-AWS-account access), which is the most common resource-policy mistake. NotAction and NotResource patterns are also flagged because they invert intent.