secure-iam-lint is a lightweight CLI scanner for AWS IAM policies. It flags common misconfigurations such as wildcard permissions, missing conditions, and escalation risks. Ideal for CI pipelines and local dev workflows, it helps catch risky IAM patterns early.
- Flags use of
Action: "*"andResource: "*" - Warns on
Allowstatements missingConditionblocks - Detects
iam:PassRolewith wildcard resources - Identifies
NotActionandNotResourceusage - CLI output designed for readability
- Modular, testable Python structure
Clone and install in editable mode (recommended for development):
git clone https://github.com/rivassec/secure-iam-lint.git
cd secure-iam-lint
python -m venv .venv
source .venv/bin/activate
pip install -e .PyPI installation is planned for a future release.
iam-lint examples/bad-policy-extended.jsonFindings:
- HIGH Statement 0: Action includes '*' (overly permissive)
- HIGH Statement 0: Resource includes '*' (overly permissive)
- MEDIUM Statement 1: Allow without any Condition block
- CRITICAL Statement 2: iam:PassRole with wildcard resource
- MEDIUM Statement 3: uses NotAction (may be overly permissive)
- MEDIUM Statement 3: uses NotResource (may be overly permissive)
Use --verbose for additional output.
Install pytest and run:
pip install pytest
pytest tests/secure-iam-lint/
├── iamlint/ # CLI and rule logic
├── examples/ # Sample IAM policies
├── tests/ # Pytest-based suite
├── iam_lint.py # CLI entry point
├── setup.py # Install/config metadata
└── README.md
Planned features:
- JSON and SARIF output formats
- Severity-based fail thresholds (
--fail-on HIGH) - Docker container for CI use
- Configurable rule sets
IAM policy reviews are tedious and error-prone. This tool helps engineers detect obvious risks early — especially in IaC-driven or regulated environments.
Issues and pull requests are welcome. If you have a new rule idea or see a false positive, feel free to open a discussion.
MIT License. See the LICENSE file for details.