IAM Policy Autopilot

v1.0.0Securitystable

IAM Policy Autopilot is an open source static code analysis tool that helps you quickly create baseline AWS IAM policies that you can refine as your application evolves. This tool is available as a command-line utility and MCP server for use within A

awsaws-iamaws-iam-policiesaws-securitycli
Share:
366
Stars
0
Downloads
0
Weekly
0/5

What is IAM Policy Autopilot?

IAM Policy Autopilot is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to iam policy autopilot is an open source static code analysis tool that helps you quickly create baseline aws iam policies that you can refine as your application evolves. this tool is available as a co...

IAM Policy Autopilot is an open source static code analysis tool that helps you quickly create baseline AWS IAM policies that you can refine as your application evolves. This tool is available as a command-line utility and MCP server for use within A

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • IAM Policy Autopilot is an open source static code analysis

Use Cases

Generate AWS IAM policies
Static code analysis for security
Cloud policy baseline creation
awslabs

Maintainer

LicenseApache-2.0
Languagerust
Versionv1.0.0
UpdatedMay 21, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx iam-policy-autopilot

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use IAM Policy Autopilot

IAM Policy Autopilot is an open-source static analysis tool from AWS Labs that scans your application source code — supporting Python (Boto3), Go, Java, JavaScript, and TypeScript — and generates minimal, least-privilege AWS IAM policy documents based on the actual API calls your code makes. It also diagnoses live AccessDenied errors and can suggest or apply the exact policy changes needed to fix them. The tool is available as a CLI and as an MCP server for use directly inside AI coding assistants.

Prerequisites

  • Python 3.9+ with pip (or uv) for the Python-based tool
  • AWS credentials configured (AWS_PROFILE or standard AWS CLI config) for policy validation and apply operations
  • An MCP-compatible AI client such as Claude Desktop for MCP server usage
  • Source code in a supported language: Python (Boto3/Botocore), Go, Java, JavaScript, or TypeScript
1

Install IAM Policy Autopilot

The recommended installation method is via uv (uvx) which runs the tool in an isolated environment. Alternatively, install with pip or use the curl installer for a system-wide binary.

# Recommended: uvx (no install needed)
uvx iam-policy-autopilot

# Or install with pip
pip install iam-policy-autopilot

# Or system-wide binary (macOS/Linux)
curl -sSL https://github.com/awslabs/iam-policy-autopilot/raw/refs/heads/main/install.sh | sudo sh
2

Generate an IAM policy from source code

Point the tool at your source file or directory. Use --service-hints to guide detection when the tool cannot infer AWS services automatically.

iam-policy-autopilot generate-policies ./src/app.py \
  --service-hints s3 iam organizations \
  --pretty
3

Fix an AccessDenied error

Paste the AccessDenied error message directly to the fix-access-denied command. The tool parses the ARN and action, identifies the missing permission, and can optionally apply the fix.

iam-policy-autopilot fix-access-denied \
  "User: arn:aws:iam::123456789012:user/test is not authorized to perform: s3:PutObject on resource: arn:aws:s3:::my-bucket"
4

Add as an MCP server for AI assistant use

Add IAM Policy Autopilot as an MCP server in your Claude Desktop config. Pass your AWS profile and region via env so the tool can validate and apply changes.

{
  "mcpServers": {
    "iam-policy-autopilot": {
      "command": "uvx",
      "args": ["iam-policy-autopilot", "mcp-server"],
      "env": {
        "AWS_PROFILE": "your-profile-name",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}
5

Verify policies in Claude

After restarting Claude Desktop, ask it to analyze your code and generate a least-privilege IAM policy. The MCP tools handle scanning and policy document generation automatically.

IAM Policy Autopilot Examples

Client configuration

claude_desktop_config.json entry using uvx (recommended). Set AWS_PROFILE and AWS_REGION to match your environment.

{
  "mcpServers": {
    "iam-policy-autopilot": {
      "command": "uvx",
      "args": ["iam-policy-autopilot", "mcp-server"],
      "env": {
        "AWS_PROFILE": "default",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}

Prompts to try

Example prompts for policy generation, error diagnosis, and security review workflows.

- "Analyze the file src/lambda_handler.py and generate a least-privilege IAM policy for it"
- "I got this AccessDenied error — what IAM permission is missing and how do I fix it: [paste error]"
- "Scan the entire ./backend directory and produce a combined IAM policy for all AWS API calls"
- "Generate a policy for my Go Lambda function in ./cmd/processor that uses S3 and DynamoDB"
- "What IAM actions does the Boto3 code in app.py actually call?"

Troubleshooting IAM Policy Autopilot

generate-policies returns an empty or incomplete policy

Use --service-hints to name the AWS services your code uses (e.g., --service-hints s3 dynamodb). Static analysis may miss dynamically constructed service names — review the output and add missing actions manually.

AWS credentials error when running the MCP server

Ensure AWS_PROFILE refers to a valid profile in ~/.aws/credentials or ~/.aws/config, and that AWS_REGION is set. Alternatively, configure credentials via environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

uvx command not found

Install uv with `curl -LsSf https://astral.sh/uv/install.sh | sh` and ensure ~/.local/bin is on your PATH. Then re-run `uvx iam-policy-autopilot`.

Frequently Asked Questions about IAM Policy Autopilot

What is IAM Policy Autopilot?

IAM Policy Autopilot is a Model Context Protocol (MCP) server that iam policy autopilot is an open source static code analysis tool that helps you quickly create baseline aws iam policies that you can refine as your application evolves. this tool is available as a command-line utility and mcp server for use within a It connects AI assistants to external tools and data sources through a standardized interface.

How do I install IAM Policy Autopilot?

Follow the installation instructions on the IAM Policy Autopilot GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with IAM Policy Autopilot?

IAM Policy Autopilot works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is IAM Policy Autopilot free to use?

Yes, IAM Policy Autopilot is open source and available under the Apache-2.0 license. You can use it freely in both personal and commercial projects.

IAM Policy Autopilot Alternatives — Similar Security Servers

Looking for alternatives to IAM Policy Autopilot? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "iam-policy-autopilot": { "command": "npx", "args": ["-y", "iam-policy-autopilot"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use IAM Policy Autopilot?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides