IAM Policy Analyzer

Analyze AWS IAM policies for security issues, overly permissive actions, and privilege escalation risks

Enter an AWS IAM policy document (JSON format) to analyze for security issues

What is the IAM Policy Analyzer?

The IAM Policy Analyzer is a client-side security tool that inspects AWS IAM policy JSON documents for common security vulnerabilities and misconfigurations. It detects overly permissive actions, wildcard resources, administrative permissions, privilege escalation risks, and missing conditions — helping you enforce the principle of least privilege.

How to Use

  1. Paste your IAM policy JSON into the input field
  2. Click "Analyze" or wait for automatic processing
  3. Review findings with severity ratings (Critical, High, Medium, Low)
  4. Follow the recommendations to harden your policy
  5. Copy or export the results for your security review

Example: Overly Permissive Policy

This policy grants unrestricted access and would score poorly:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

What Security Issues Are Detected?

  • Wildcard Actions (*) — Grants access to all AWS API actions
  • Wildcard Resources (*) — Allows operations on all resources
  • Administrative Permissions — Full IAM or STS access
  • Sensitive Service Access — Unrestricted S3, KMS, DynamoDB, Lambda, etc.
  • Missing Conditions — Allow statements without IP, MFA, or time constraints
  • NotAction/NotResource — Potentially dangerous exclusion patterns
  • Privilege Escalation — iam:PassRole or sts:AssumeRole with broad scope

Security Scoring

Each policy receives a score from 0 to 100 based on detected findings. Severity weights are: Critical (25 points), High (15 points), Medium (8 points), Low (3 points). The score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Best Practices for IAM Policies

  • Follow the principle of least privilege — grant only the permissions needed
  • Use specific actions instead of wildcards (e.g., s3:GetObject not s3:*)
  • Restrict resources to specific ARN patterns
  • Add conditions (source IP, MFA, time-based) to sensitive statements
  • Avoid NotAction and NotResource unless absolutely necessary
  • Regularly audit and remove unused permissions

Privacy and Security

All analysis happens entirely in your browser using JavaScript. Your IAM policies — which may contain internal account IDs, resource ARNs, and infrastructure details — are never transmitted to any server. No data is stored, logged, or shared.

Frequently Asked Questions

What does the IAM Policy Analyzer check?

The analyzer inspects AWS IAM policy JSON documents for security issues including overly permissive actions (wildcard *), wildcard resources, administrative permissions (iam:*, sts:AssumeRole with broad access), sensitive service full access (s3:*, kms:*, etc.), missing conditions on Allow statements, and privilege escalation risks (iam:PassRole, sts:AssumeRole).

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues deduct 25 points, High issues deduct 15, Medium deduct 8, and Low deduct 3. The final score is clamped between 0 and 100, and mapped to a letter grade (A: 90+, B: 75+, C: 60+, D: 40+, F: below 40).

Is my IAM policy sent to a server for analysis?

No. All analysis happens entirely in your browser using JavaScript. Your IAM policy JSON never leaves your device and is not stored, logged, or transmitted to any server. This is critical for security since IAM policies often reference internal resource ARNs and account IDs.

What format does the input need to be?

The input must be a valid JSON document representing an IAM policy. It should contain fields like Version, Statement (with Effect, Action, and Resource). Both inline policies and managed policy documents are supported. The tool accepts both single-statement and multi-statement policies.

Why is 'Resource: *' flagged as a high severity issue?

A wildcard resource means the actions in that statement can be performed on ALL resources in your AWS account (and potentially across accounts). This violates the principle of least privilege. Instead, specify exact ARN patterns for the resources the role should access.

What is the maximum input size?

The tool warns when input exceeds 500KB and rejects input larger than 5MB. Most IAM policies are well under 10KB. If you're analyzing a policy larger than 500KB, the tool will still work but may be slower.

Does it check for valid ARN formats?

The analyzer focuses on security patterns rather than ARN syntax validation. It checks if resources are overly broad (wildcard) rather than verifying that specific ARNs are well-formed. For ARN validation, use the AWS Policy Simulator or IAM Access Analyzer in your AWS console.

What is the difference between NotAction and Action?

Action specifies what is allowed or denied. NotAction means 'all actions EXCEPT the listed ones' — which can inadvertently grant access to new services added to AWS. The analyzer flags NotAction usage because it requires careful maintenance as AWS adds new services and actions.

Why is iam:PassRole flagged as a risk?

iam:PassRole allows a user to assign an IAM role to an AWS service (like EC2 or Lambda). If the passed role has more permissions than the user, this creates a privilege escalation path. The recommendation is to add a Condition restricting which services the role can be passed to.

Related Tools

JWT Security Auditor

Audit JWT tokens for algorithm vulnerabilities, missing claims, excessive expiration, and sensitive data exposure

Security

JWT Decoder

Decode JWT tokens locally in your browser to inspect headers, claims, and token expiration

Security

Kubernetes YAML Validator

Validate Kubernetes resource YAML with resource type detection

Devops Tools

PEM / Certificate Parser (Basic)

Parse PEM public keys and certificates with fingerprints and basic metadata

Security