Home

Awesome

aws-access-analyzer-validator

A tool to validate existing identity and resource policies across regions and supported AWS services with AWS IAM Access Analyzer.

This tool

See examples/sample_report.md for an example.

Usage

  1. Install from PyPI (Python 3.8+ required):
pip install aws-access-analyzer-validator
  1. Execute the tool:
aws-access-analyzer-validator -o report.md
  1. Open report.md to see analysis results.

Arguments

aws-access-analyzer-validator supports the following arguments:

Supported Services / Resources

aws-access-analyzer-validator validates policies from the following services:

Required Permissions

This tool requires the following permissions to operate:

Here's an IAM policy that grants the required privileges:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionsForAAValidator",
            "Effect": "Allow",
            "Action": [
                "access-analyzer:ValidatePolicy",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "iam:GetAccountAuthorizationDetails",
                "s3:GetBucketPolicy",
                "s3:ListAllMyBuckets",
                "sns:GetTopicAttributes",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues"
            ],
            "Resource": "*"
        }
    ]
}

Development

Requires Python 3.8+ and Poetry. Useful commands:

# Setup environment
poetry install

# Run integration tests (requires admin-level AWS credentials)
make test

# Run linters
make -k lint

# Format code
make format

# Deploy test resources (requires AWS CLI and admin level AWS credentials)
make deploy-test-resources

# Delete test resources
make delete-test-resources

Credits

License

MIT.