IAM Policy Autopilot is an open-source tool designed to streamline the creation of baseline AWS IAM policies by analyzing application code. It targets developers and technical users on AWS who leverage AI coding assistants, offering a faster, more reliable method for generating necessary permissions and reducing policy-related troubleshooting time. The tool supports applications written in Python, Go, and TypeScript.

How It Works

This project employs static code analysis to parse application source files, identifying AWS SDK calls. Based on this analysis, it deterministically generates identity-based IAM policies. It functions as both a command-line utility and a Model Context Protocol (MCP) server, allowing AI coding assistants to integrate seamlessly. This approach ensures policies are up-to-date with AWS services and reduces the manual effort and potential errors associated with policy creation.

Quick Start & Requirements

Installation can be done via uv (uvx iam-policy-autopilot), pip (pip install iam-policy-autopilot), or a direct script for macOS/Linux (curl -sSL https://github.com/awslabs/iam-policy-autopilot/raw/refs/heads/main/install.sh | sudo sh). AWS CLI and configured AWS credentials are required. Building from source necessitates Rust (latest stable), Git, and CMake (Windows only). MCP server integration requires configuration within AI coding assistants like Kiro or Claude Desktop, with example JSON setups provided. A Kiro Power can be installed via GitHub URL (https://github.com/awslabs/iam-policy-autopilot/tree/main/power-iam-policy-autopilot) or by importing a local folder.

Highlighted Details

• Core CLI commands include generate-policies (creates IAM policies from source code), fix-access-denied (analyzes and potentially applies fixes for AccessDenied errors), and mcp-server (starts an MCP server for AI assistant integration).
• generate-policies supports options such as --region, --account, --service-hints (to limit analysis to specific services), and --upload-policies.
• MCP server integration enables AI coding assistants to leverage static code analysis for policy generation.
• The optional Kiro Power enhances the MCP experience with better LLM guidance and onboarding validation.

Licensing & Compatibility

This project is licensed under the Apache-2.0 License, which permits commercial use and integration into closed-source projects.

Limitations & Caveats

The tool is limited to generating identity-based IAM policies; it does not support resource-based policies (e.g., S3 bucket, KMS key policies), RCPs, SCPs, or permission boundaries. It cannot predict permissions for resources whose ARNs or names are determined at runtime. Policies generated by the tool may be further modified by AI coding assistants based on their broader context.