IAM Policy Autopilot
OfficialAnalyzes your Python, Go, or TypeScript application code locally to automatically generate baseline AWS IAM policies by detecting AWS SDK calls. Helps create proper permissions faster and reduces access troubleshooting.
Analyzes application code locally to automatically generate baseline AWS IAM identity-based policies by detecting AWS SDK calls in Python, Go, and TypeScript applications. Helps AI coding assistants quickly create IAM permissions that can be refined as applications evolve.
What it does
- Scan Python, Go, and TypeScript code for AWS SDK calls
- Generate baseline IAM identity-based policies
- Analyze application code locally without uploading
- Create policies that can be refined as apps evolve
- Integrate with AI coding assistants via MCP
Best for
About IAM Policy Autopilot
IAM Policy Autopilot is an official MCP server published by awslabs that provides AI assistants with tools and capabilities via the Model Context Protocol. Analyze Python, Go, and TypeScript code locally to automatically generate IAM policies and AWS IAM permissions for least It is categorized under auth security, developer tools.
How to install
You can install IAM Policy Autopilot in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.
License
IAM Policy Autopilot is released under the Apache-2.0 license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
IAM Policy Autopilot
An open source Model Context Protocol (MCP) server and command-line tool that helps your AI coding assistants quickly create baseline IAM policies that you can refine as your application evolves, so you can build faster. IAM Policy Autopilot analyzes your application code locally to generate identity-based policies for application roles, enabling faster IAM policy creation and reducing access troubleshooting time. IAM Policy Autopilot supports applications built in Python, Go, and TypeScript.
Table of Contents
- Who is IAM Policy Autopilot for?
- How is IAM Policy Autopilot helpful?
- Best Practices and Considerations
- Getting Started
- CLI Usage
- Build Instructions
- Workspace Structure
- Development
- Security
- License
Who is IAM Policy Autopilot for?
IAM Policy Autopilot is for builders on AWS using AI coding assistants, including developers, product managers, technical experimenters, and business leaders.
How is IAM Policy Autopilot helpful?
IAM Policy Autopilot is:
Fast
IAM Policy Autopilot accelerates development by generating baseline identity-based IAM policies. Your AI coding assistant can call IAM Policy Autopilot to analyze AWS SDK calls within your application. IAM Policy Autopilot then automatically creates the baseline IAM permissions for your application roles.
Reliable
IAM Policy Autopilot's deterministic code analysis helps create reliable and valid IAM policies that reduce policy troubleshooting. By using valid policies created with the MCP server, you reduce time spent on policy-related debugging and accelerate application deployment by avoiding permission-related delays.
Up-to-date
IAM Policy Autopilot stays up to date with the latest AWS services and features so that builders and coding assistants have access to the latest AWS IAM permissions knowledge. It helps keep your application role's permissions current with AWS's evolving capabilities.
Best Practices and Considerations
Review and refine policies generated by IAM Policy Autopilot
IAM Policy Autopilot generates baseline policies to provide a starting point that you can refine as your application matures. Review the generated policies to ensure they align with your security requirements before deploying them. Use the --explain feature with action patterns (e.g., --explain 's3:*') to understand which operations led to an action being included in the generated policies.
Understand the IAM Policy Autopilot scope
IAM Policy Autopilot produces IAM identity-based policies, but doesn't support resource-based policies such as S3 bucket policies or KMS key policies, Resource Control Policies (RCPs), Service Control Policies (SCPs), and permission boundaries. These are the limitations that you need to keep in mind. For example, if your code calls s3.getObject(bucketName) where bucketName is determined at runtime, IAM Policy Autopilot currently doesn't predict which bucket will be accessed.
Understand the boundary between IAM Policy Autopilot and your coding assistant
IAM Policy Autopilot generates policies with specific actions based on deterministic analysis of your code. When you use the MCP server integration, your AI coding assistant receives this policy and might modify it when creating infrastructure-as-code templates. For example, you might see the assistant add specific resource Amazon Resource Names (ARNs) or include KMS key IDs based on additional context from your code. These changes come from your coding assistant's interpretation of your broader code context, not from the static analysis provided by IAM Policy Autopilot. Always review content generated by your coding assistant before deployment to verify that it meets your security requirements.
Use service hints for accurate policies
IAM Policy Autopilot's static analysis may include permissions for AWS services your application doesn't use. This happens when method names in your code match AWS SDK calls from multiple services. For example, a method called listAccounts() might generate permissions for both AWS Organizations and Amazon Chime services.
Recommended approach: Use the --service-hints option to specify only the AWS services your application actually uses. This helps IAM Policy Autopilot scope down which SDK calls to analyze, but the final policy may still include actions from other services if they're required by the operations you perform:
# More accurate - specify only services you use
iam-policy-autopilot generate-policies ./src/app.py --service-hints s3 iam organizations --pretty
# Less accurate - may include unnecessary permissions
iam-policy-autopilot generate-policies ./src/app.py --pretty
This significantly reduces unnecessary permissions and generates more targeted policies. Note that the final policy may still include actions from services not in your hints if they're required for the operations you perform (e.g., KMS actions for S3 encryption).
Note: When using the MCP server integration with AI coding assistants, the assistant is expected to automatically provide appropriate service hints based on your code context. The --service-hints option is primarily for CLI usage.
Getting Started
Installation
Option 1: Using uv (Recommended)
Install uv from Astral.
No additional installation needed - you can run IAM Policy Autopilot directly using uvx iam-policy-autopilot.
Option 2: Using pip
Install pip.
pip install iam-policy-autopilot
Option 3: Direct installation (MacOS/Linux only)
To install the latest release directly, run the following script to download and install as a system utility.
curl -sSL https://github.com/awslabs/iam-policy-autopilot/raw/refs/heads/main/install.sh | sudo sh
This will install the latest release directly to /usr/local/bin/iam-policy-autopilot.
AWS Configuration
IAM Policy Autopilot requires AWS credentials to apply policy fixes and upload policies for AccessDenied debugging.
Install AWS CLI and configure your AWS credentials.
For more information on AWS credential configuration, see the AWS CLI Configuration Guide.
MCP Server Configuration
Configure the MCP server in your MCP client configuration to enable your AI coding assistant to generate IAM policies.
For Kiro
Get Kiro from https://kiro.dev/
If using uv/uvx:
Add the following configuration to your project-level .kiro/settings/mcp.json:
{
"mcpServers": {
"iam-policy-autopilot": {
"command": "uvx",
"args": ["iam-policy-autopilot", "mcp-server"],
"env": {
"AWS_PROFILE": "your-profile-name",
"AWS_REGION": "us-east-1"
},
"disabled": false,
"autoApprove": []
}
}
}
If using pip:
{
"mcpServers": {
"iam-policy-autopilot": {
"command": "iam-policy-autopilot",
"args": ["mcp-server"],
"env": {
"AWS_PROFILE": "your-profile-name",
"AWS_REGION": "us-east-1"
},
"disabled": false,
"autoApprove": []
}
}
}
For Kiro CLI
Get Kiro CLI from https://kiro.dev/cli
Kiro Cli uses the same configuration as Kiro mentioned above, additionally, MCPs for Kiro CLI can also be setup via:
If using uv/uvx:
kiro-cli mcp add \
--name iam-policy-autopilot \
--command "uvx" \
--args "iam-policy-autopilot","mcp-server"
If using pip:
kiro-cli mcp add \
--name iam-policy-autopilot \
--command "iam-policy-autopilot" \
--args "mcp-server"
For Claude Desktop
Add to your Claude Desktop configuration file:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json
If using uv/uvx:
{
"mcpServers": {
"iam-policy-autopilot": {
"command": "uvx",
"args": ["iam-policy-autopilot", "mcp-server"],
"env": {
"AWS_PROFILE": "your-profile-name",
"AWS_REGION": "us-east-1"
}
}
}
}
If using pip:
{
"mcpServers": {
"iam-policy-autopilot": {
"command": "iam-policy-autopilot",
"args": ["mcp-server"],
"env": {
"AWS_PROFILE": "your-profile-name",
"AWS_REGION": "us-east-1"
}
}
}
}
Kiro Power Configuration
IAM Policy Autopilot has an associated Kiro power configuration inside the power-iam-policy-autopilot directory. This can be used to install a corresponding Kiro power in your Kiro editor.
Enabling the IAM Policy Autopilot Kiro Power
To enable the IAM Policy A
README truncated. View full README on GitHub.
Alternatives
Related Skills
Browse all skillsThis skill should be used when the user requests to generate, create, or add Row-Level Security (RLS) policies for Supabase databases in multi-tenant or role-based applications. It generates comprehensive RLS policies using auth.uid(), auth.jwt() claims, and role-based access patterns. Trigger terms include RLS, row level security, supabase security, generate policies, auth policies, multi-tenant security, role-based access, database security policies, supabase permissions, tenant isolation.
Use when working with the OpenAI API (Responses API) or OpenAI platform features (tools, streaming, Realtime API, auth, models, rate limits, MCP) and you need authoritative, up-to-date documentation (schemas, examples, limits, edge cases). Prefer the OpenAI Developer Documentation MCP server tools when available; otherwise guide the user to enable `openaiDeveloperDocs`.
Expert AWS Cloud Advisor for architecture design, security review, and implementation guidance. Leverages AWS MCP tools for accurate, documentation-backed answers. Use when user asks about AWS architecture, security, service selection, migrations, troubleshooting, or learning AWS. Triggers on AWS, Lambda, S3, EC2, ECS, EKS, DynamoDB, RDS, CloudFormation, CDK, Terraform, Serverless, SAM, IAM, VPC, API Gateway, or any AWS service.
Execute iam policy reviewer operations. Auto-activating skill for Security Advanced. Triggers on: iam policy reviewer, iam policy reviewer Part of the Security Advanced skill category. Use when working with iam policy reviewer functionality. Trigger with phrases like "iam policy reviewer", "iam reviewer", "iam".
Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices.
Azure Identity SDK for Rust authentication. Use for DeveloperToolsCredential, ManagedIdentityCredential, ClientSecretCredential, and token-based authentication. Triggers: "azure-identity", "DeveloperToolsCredential", "authentication rust", "managed identity rust", "credential rust".