The AWS Policy Optimizer is a tool that analyzes AWS CloudTrail Access Logs and generates least-privilege IAM policies based on utilization. It aims to help optimize resource access by identifying the specific permissions needed for each resource.
Once you have built the application, use the following command to generate an optimized policy:
aws-policy-optimizer [flags]The AWS Policy Optimizer supports the following flags:
--account-id: (required) limit analysis to events in this AWS account--analysis-period: how far back into the access records to look (default 90)--athena-workgroup: run analysis in this Athena workgroup (default "primary")--database: database name for Athena CloudTrail Table (default "default")--query-results-bucket: (optional) S3 bucket for Athena query results--query-results-prefix: (optional) S3 bucket for Athena query prefix--region: (required) limit analysis to events in this region--table: table name for Athena CloudTrail Table (default "cloudtrail")--user-identity-arn: (required) the whole or partial ARN of the target resource
Here's a couple example commands that generate an optimized policy:
aws-policy-optimizer --user-identity-arn arn:aws:iam::123456789012:user/my-user --account-id 123456789012 --region us-west-2# useful in cases of ECS where task arns change for assumed roles, but takes longer
aws-policy-optimizer --user-identity-arn my-role-name --account-id 123456789012 --region us-east-1
Contributions are welcome! If you find any issues or have suggestions for improvements, please feel free to open an issue or submit a pull request in the GitHub repository.
This project is licensed under the Mozilla Public License. For more information, please refer to the LICENSE file.