IAM Policy Autopilot logo

IAM Policy Autopilot

Organization
awslabs

IAM Policy Autopilot is an open source static code analysis tool that helps you quickly create baseline AWS IAM policies that you can refine as your application evolves. This tool is available as a command-line utility and MCP server for use within AI coding assistants for quickly building IAM policies.

Publisherawslabs
Repositoryiam-policy-autopilot
LanguageRust
Forks
38
Stars
357
Available tools
0
Transport typestdio
Categories
Auth SecurityDeveloper Tools
LicenseApache-2.0
Links
GitHub
  • Connect tools to AI workflows

    IAM Policy Autopilot exposes MCP capabilities that can be used by compatible AI clients and agents.

  • 0 available tools

    Browse the callable actions below, including names and descriptions when provided by the server.

  • Ready-to-copy setup

    Use the installation snippets to configure this server in your preferred MCP client.

  • Open source signals

    357 stars and 38 forks from the linked repository.

awslabs/iam-policy-autopilot License GitHub CI Status PyPI - Version

IAM Policy Autopilot

An open source Model Context Protocol (MCP) server and command-line tool that helps your AI coding assistants quickly create baseline IAM policies that you can refine as your application evolves, so you can build faster. IAM Policy Autopilot analyzes your application code locally to generate identity-based policies for application roles, enabling faster IAM policy creation and reducing access troubleshooting time. IAM Policy Autopilot supports policy generation for applications built in Python, Go, TypeScript, JavaScript, and Java — see Supported Languages and SDKs for policy generation.

We want to hear from you. Ask questions or share ideas in Discussions, report bugs through Issues, or contribute directly with a Pull Request.

Table of Contents

Who is IAM Policy Autopilot for?

IAM Policy Autopilot is for builders on AWS using AI coding assistants, including developers, product managers, technical experimenters, and business leaders.

How is IAM Policy Autopilot helpful?

IAM Policy Autopilot is:

Fast

IAM Policy Autopilot accelerates development by generating baseline identity-based IAM policies. Your AI coding assistant can call IAM Policy Autopilot to analyze AWS SDK calls within your application. IAM Policy Autopilot then automatically creates the baseline IAM permissions for your application roles.

Reliable

IAM Policy Autopilot's deterministic code analysis helps create reliable and valid IAM policies that reduce policy troubleshooting. By using valid policies created with the MCP server, you reduce time spent on policy-related debugging and accelerate application deployment by avoiding permission-related delays.

Up-to-date

IAM Policy Autopilot stays up to date with the latest AWS services and features so that builders and coding assistants have access to the latest AWS IAM permissions knowledge. It helps keep your application role's permissions current with AWS's evolving capabilities.

Best Practices and Considerations

Review and refine policies generated by IAM Policy Autopilot

IAM Policy Autopilot generates baseline policies to provide a starting point that you can refine as your application matures. Review the generated policies to ensure they align with your security requirements before deploying them. Use the --explain feature with action patterns (e.g., --explain 's3:*') to understand which operations led to an action being included in the generated policies.

Understand the IAM Policy Autopilot scope

IAM Policy Autopilot produces IAM identity-based policies, but doesn't support resource-based policies such as S3 bucket policies or KMS key policies, Resource Control Policies (RCPs), Service Control Policies (SCPs), and permission boundaries. These are the limitations that you need to keep in mind. For example, if your code calls s3.getObject(bucketName) where bucketName is determined at runtime, IAM Policy Autopilot currently doesn't predict which bucket will be accessed.

Understand the boundary between IAM Policy Autopilot and your coding assistant

IAM Policy Autopilot generates policies with specific actions based on deterministic analysis of your code. When you use the MCP server integration, your AI coding assistant receives this policy and might modify it when creating infrastructure-as-code templates. For example, you might see the assistant add specific resource Amazon Resource Names (ARNs) or include KMS key IDs based on additional context from your code. These changes come from your coding assistant's interpretation of your broader code context, not from the static analysis provided by IAM Policy Autopilot. Always review content generated by your coding assistant before deployment to verify that it meets your security requirements.

Use service hints for accurate policies

IAM Policy Autopilot's static analysis may include permissions for AWS services your application doesn't use. This happens when method names in your code match AWS SDK calls from multiple services. For example, a method called listAccounts() might generate permissions for both AWS Organizations and Amazon Chime services.

Recommended approach: Use the --service-hints option to specify only the AWS services your application actually uses. This helps IAM Policy Autopilot scope down which SDK calls to analyze, but the final policy may still include actions from other services if they're required by the operations you perform:

bash
# More accurate - specify only services you use
iam-policy-autopilot generate-policies ./src/app.py --service-hints s3 iam organizations --pretty

# Less accurate - may include unnecessary permissions
iam-policy-autopilot generate-policies ./src/app.py --pretty

This significantly reduces unnecessary permissions and generates more targeted policies. Note that the final policy may still include actions from services not in your hints if they're required for the operations you perform (e.g., KMS actions for S3 encryption).

Note: When using the MCP server integration with AI coding assistants, the assistant is expected to automatically provide appropriate service hints based on your code context. The --service-hints option is primarily for CLI usage.

Supported Languages and SDKs for policy generation

Getting Started

Installation

Option 1: Using uv (Recommended)

Install uv from Astral.

No additional installation needed - you can run IAM Policy Autopilot directly using uvx iam-policy-autopilot.

Option 2: Using pip

Install pip.

bash
pip install iam-policy-autopilot

Option 3: Direct installation (MacOS/Linux only)

To install the latest release directly, run the following script to download and install as a system utility.

bash
curl -sSL https://github.com/awslabs/iam-policy-autopilot/raw/refs/heads/main/install.sh | sudo sh

This will install the latest release directly to /usr/local/bin/iam-policy-autopilot.

AWS Configuration

IAM Policy Autopilot requires AWS credentials to apply policy fixes and upload policies for AccessDenied debugging.

Install AWS CLI and configure your AWS credentials.

For more information on AWS credential configuration, see the AWS CLI Configuration Guide.

MCP Server Configuration

Configure the MCP server in your MCP client configuration to enable your AI coding assistant to generate IAM policies.

For Kiro

Get Kiro from https://kiro.dev/

If using uv/uvx:

Add the following configuration to your project-level .kiro/settings/mcp.json:

json
{
  "mcpServers": {
    "iam-policy-autopilot": {
      "command": "uvx",
      "args": ["iam-policy-autopilot", "mcp-server"],
      "env": {
        "AWS_PROFILE": "your-profile-name",
        "AWS_REGION": "us-east-1"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

If using pip:

json
{
  "mcpServers": {
    "iam-policy-autopilot": {
      "command": "iam-policy-autopilot",
      "args": ["mcp-server"],
      "env": {
        "AWS_PROFILE": "your-profile-name",
        "AWS_REGION": "us-east-1"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

For Kiro CLI

Get Kiro CLI from https://kiro.dev/cli

Kiro Cli uses the same configuration as Kiro mentioned above, additionally, MCPs for Kiro CLI can also be setup via:

If using uv/uvx:

kiro-cli mcp add \
  --name iam-policy-autopilot \
  --command "uvx" \
  --args "iam-policy-autopilot","mcp-server"

If using pip:

kiro-cli mcp add \
  --name iam-policy-autopilot \
  --command "iam-policy-autopilot" \
  --args "mcp-server"

For Claude Desktop

Add to your Claude Desktop configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

Windows: %APPDATA%\Claude\claude_desktop_config.json

Linux: ~/.config/Claude/claude_desktop_config.json

If using uv/uvx:

json
{
  "mcpServers": {
    "iam-policy-autopilot": {
      "command": "uvx",
      "args": ["iam-policy-autopilot", "mcp-server"],
      "env": {
        "AWS_PROFILE": "your-profile-name",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}

If using pip:

json
{
  "mcpServers": {
    "iam-policy-autopilot": {
      "command": "iam-policy-autopilot",
      "args": ["mcp-server"],
      "env": {
        "AWS_PROFILE": "your-profile-name",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}

Kiro Power Configuration

IAM Policy Autopilot has an associated Kiro power configuration inside the power-iam-policy-autopilot directory. This can be used to install a corresponding Kiro power in your Kiro editor.

Enabling the IAM Policy Autopilot Kiro Power

To enable the IAM Policy Autopilot Kiro Power, first install the uv package manager by following these instructions. Then, do the following steps within Kiro:

  1. Go to the "Powers" menu in the menubar on the left-hand-side.
  2. Click Add Custom Power -> Import power from Github
  3. In the text prompt that then appears, enter https://github.com/awslabs/iam-policy-autopilot/tree/main/power-iam-policy-autopilot.
  4. Kiro should automatically install a new Kiro power called IAM Policy Autopilot within your Kiro code editor. This power should be visible in the Powers menu.

If the above steps for installing the power from a GitHub repository URL does not work, you can also clone the repository and import the power directly, by doing the following:

  1. Clone the git repository https://github.com/awslabs/iam-policy-autopilot, and remember the directory to where you cloned the repo.
  2. Go to the "Powers" menu in the menubar on the left-hand-side.
  3. Click Add Custom Power -> Import power from a folder
  4. In the text prompt that then appears, select the power-iam-policy-autopilot folder in your cloned repository. For instance, if the repository is cloned to ~/workplace/iam-policy-autopilot, you should select or enter ~/workplace/iam-policy-autopilot/power-iam-policy-autopilot.
  5. Kiro should automatically install a new Kiro power called IAM Policy Autopilot within your Kiro code editor. This power should be visible in the Powers menu.

Why use IAM Policy Autopilot's Kiro Power?

Kiro powers generally offer a more refined experience than traditional MCP servers because they enable MCP tools to be loaded more selectively & deliberately, reducing LLM token usage and avoiding LLM context overcrowding.

IAM Policy Autopilot's Kiro power specifically enhances the traditional MCP experience, for multiple reasons:

  1. This Kiro Power provides your LLM agent with more steering guidance, offering it more information on the specific use cases and best practices of our MCP tooling.
  2. This Kiro power prompts your LLM agent to give a tutorial of the MCP tools offered by IAM Policy Autopilot, allowing you to better understand how our MCP tooling assists your use case.
  3. This Kiro Power provides your LLM agent with step-by-step onboarding validation, allowing it to detect any problems with installations and provide remediation steps for those problems.

CLI Usage

The iam-policy-autopilot CLI tool provides three main commands:

Generate IAM policies from source code and fix AccessDenied errors

Usage: iam-policy-autopilot <COMMAND>

Commands:
  fix-access-denied  Fix AccessDenied errors by analyzing and optionally applying IAM policy changes
  generate-policies    Generates complete IAM policy documents from source files
  mcp-server         Start MCP server
  help               Print this message or the help of the given subcommand(s)

Options:
  -h, --help     Print help (see more with '--help')
  -V, --version  Print version

Commands

generate-policies - Generates complete IAM policy documents from source files

bash
iam-policy-autopilot generate-policies <source_files> [OPTIONS]

Example:

bash
iam-policy-autopilot generate-policies \
  ./src/app.py \
  --region us-east-1 \
  --account 123456789012 \
  --pretty

Options:

  • --region <REGION> - AWS region for resource ARNs
  • --account <ACCOUNT> - AWS account ID for resource ARNs
  • --service-hints <SERVICES> - Limit analysis to only the services your application actually uses if you know them. This helps reduce unnecessary permissions.
  • --upload-policies <PREFIX> - Upload generated policies to AWS IAM with the specified prefix
  • --pretty - Pretty-print JSON output

fix-access-denied - Fix AccessDenied errors by analyzing and optionally applying IAM policy changes

bash
iam-policy-autopilot fix-access-denied <access-denied-error-message> [OPTIONS]

Example:

bash
iam-policy-autopilot fix-access-denied \
  "User: arn:aws:iam::123456789012:user/test is not authorized to perform: s3:GetObject on resource: arn:aws:s3:::my-bucket/file.txt"

Options:

  • --yes - Auto-apply policy changes without confirmation

mcp-server - Start MCP server locally

bash
iam-policy-autopilot mcp-server [OPTIONS]

Options:

  • --transport <TRANSPORT> - Transport type: stdio (default) or http

Example with HTTP transport:

bash
# Start server at http://127.0.0.1:8001/mcp
iam-policy-autopilot mcp-server --transport http

Build Instructions

Prerequisites

  • Rust (latest stable version)
  • Git
  • Python 3
  • CMake (Windows only)

Setup

Clone the repository with submodules:

bash
git clone --recurse-submodules https://github.com/awslabs/iam-policy-autopilot.git
cd iam-policy-autopilot

Build the project:

bash
cargo build --release

The compiled binary will be located at target/release/iam-policy-autopilot.

Using the Built Binary with MCP

If you build from source, you can configure MCP clients to use the compiled binary:

json
{
  "mcpServers": {
    "iam-policy-autopilot": {
      "command": "/path/to/iam-policy-autopilot",
      "args": ["mcp-server"]
    }
  }
}

Workspace Structure

This workspace contains several crates that work together:

  • iam-policy-autopilot-policy-generation/ - Core library providing SDK extraction and enrichment capabilities
  • iam-policy-autopilot-access-denied/ - Core library for parsing AccessDenied errors and synthesizing IAM policies
  • iam-policy-autopilot-tools/ - Policy upload utilities and AWS integration tools
  • iam-policy-autopilot-cli/ - Unified CLI tool providing all commands
  • iam-policy-autopilot-mcp-server/ - MCP server integration for IDE and tool integration

Development

Running Tests

bash
# Run all tests
cargo test --workspace

# Run tests for specific crate
cargo test -p iam-policy-autopilot-cli
cargo test -p iam-policy-autopilot-access-denied
cargo test -p iam-policy-autopilot-policy-generation

# Run integration tests
cargo test -p iam-policy-autopilot-cli --test integration_tests

Building Release Version

bash
cargo build --release

The compiled binary will be located at target/release/iam-policy-autopilot.

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

Installation

TypingMind
Prerequisites:

Node.js 18+

{
  "mcpServers": {
    "iam-policy-autopilot": {
      "command": "uvx",
      "args": [
        "iam-policy-autopilot",
        "mcp-server"
      ],
      "env": {
        "AWS_PROFILE": "your-profile-name",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}

Use IAM Policy Autopilot MCP with multiple AI models

TypingMind connects MCP tools at the workspace level, so once IAM Policy Autopilot is connected, you can use it with different AI models in TypingMind instead of setting it up separately for each model. This MCP runs locally through the TypingMind MCP connector on your device.

Setup guide to use the local connector

Use this when the MCP server needs access to local files, apps, or private resources on your computer.

1

Open the MCP settings

In TypingMind, go to Settings, Advanced Settings, then Model Context Protocol and choose Setup Connector.

  1. Open TypingMind in your browser.
  2. Click the Settings icon.
  3. Go to Advanced Settings.
  4. Open the Model Context Protocol section.
  5. Click Setup Connector and choose This Device.
TypingMind MCP connector setup screen with This Device selected
2

Run the connector command

Choose This Device, copy the command from TypingMind, and run it in Terminal. Keep the process running while you use MCP.

  1. Copy the setup command shown by TypingMind.
  2. Open Terminal on macOS or Windows Terminal on Windows.
  3. Paste and run the command.
  4. Approve the package install if Terminal asks you to proceed.
  5. Keep the Terminal window running while using MCP tools.
3

Add IAM Policy Autopilot as a server

When the connector status is Ready, click Edit Servers and paste the MCP server configuration.

  1. Wait until the connector status shows Ready.
  2. Click Edit Servers.
  3. Paste the IAM Policy Autopilot MCP server configuration.
  4. Save the server list.
  5. Refresh if you want to confirm the connector is still ready.
TypingMind MCP settings showing active server and Edit Servers button
{
  "mcpServers": {
    "iam-policy-autopilot": {
      "command": "npx",
      "args": [
        "-y",
        "iam-policy-autopilot"
      ]
    }
  }
}
4

Use it across models

Save the server list, open Plugins, enable the IAM Policy Autopilot MCP tools, then select any supported AI model in TypingMind and use the tools in chat or assign them to an AI agent.

  1. Open the Plugins page in TypingMind.
  2. Enable the IAM Policy Autopilot MCP tools.
  3. Start a chat and choose the AI model you want to use.
  4. Use the MCP tools in chat or assign them to an AI agent.
  5. Switch to another AI model whenever needed without reconnecting MCP.
TypingMind chat using enabled MCP tools with a selected AI model
Can you use IAM Policy Autopilot to help me with this task?
IAM Policy Autopilot
Sure. I read it.
Here is what I found using IAM Policy Autopilot.

Frequently asked questions

What is the IAM Policy Autopilot MCP server used for?

IAM Policy Autopilot is an MCP server that lets compatible AI clients connect to external tools and context. In TypingMind, you can add this MCP server once and make its tools available in your AI workspace.

Can I use IAM Policy Autopilot MCP with multiple AI models in TypingMind?

Yes. TypingMind connects MCP tools at the workspace level, so you can use IAM Policy Autopilot with different AI models such as Claude, ChatGPT, Gemini, or other models you have configured in TypingMind without setting up the MCP server separately for each model.

Why use IAM Policy Autopilot MCP with TypingMind?

TypingMind is one of the best frontends for LLM chat because it brings multiple AI models, prompts, plugins, AI agents, API keys, and MCP tools into one workspace. With IAM Policy Autopilot connected, you can use its MCP tools across your preferred models while keeping your chat workflow organized in TypingMind.

How do I connect IAM Policy Autopilot MCP to TypingMind?

IAM Policy Autopilot runs through the TypingMind local MCP connector. This is best when the MCP server needs access to local files, desktop apps, command-line tools, or private resources on your computer.

What tools does IAM Policy Autopilot MCP provide in TypingMind?

IAM Policy Autopilot exposes MCP capabilities that can be enabled from the TypingMind Plugins page and used in chat or assigned to AI agents.

Do I need to share my API keys with TypingMind to use IAM Policy Autopilot MCP?

No. TypingMind is local-first and lets you keep your model providers, API keys, prompts, and MCP configuration under your control. If IAM Policy Autopilot requires authentication, add the required headers, OAuth settings, or local configuration for that MCP server when you create the connection.

Related MCP Servers

View all
LaurieWired logo

GhidraMCP

LaurieWired
CommunityPopular

MCP Server for Ghidra

900
8.9K
0 tools
View details
0x4m4 logo

HexStrike AI

0x4m4
CommunityPopular

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly bridge LLMs with real-world offensive security capabilities.

1.9K
8.7K
0 tools
View details
webflow logo

Webflow

webflow
CommunityPopular

Official Webflow MCP server. Manage sites, pages, CMS collections, and form submissions via Webflow's Data API. Publish drafts, update content, and automate site operations.

0
3.9K
16 tools
View details
integromat logo

Make.com (Integromat)

integromat
CommunityPopular

Official Make.com MCP server. Trigger scenarios, manage connections, and automate workflows across 2,000+ apps via Make's visual automation platform.

0
3.8K
16 tools
View details

Set up your own AI workspace now

Get notified about new features and future giveaways by subscribing to our newsletter 👇