IAM Policy Least Privilege Analyzer - Detect Overly Permissive IAM Policies Offline

First Published:
Last Updated:

Paste an AWS IAM policy JSON to detect overly permissive patterns such as Action:*, Resource:*, iam:PassRole, NotAction, missing Condition blocks, and other least-privilege violations. The entire analysis runs in your browser.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your IAM policy never leaves your device.

  • This tool is provided "AS IS" without any warranties of any kind.
  • Detection rules are heuristic and intended for code review assistance only. They do not replace IAM Access Analyzer, Policy Simulator, or a security audit.
  • Findings are based on static patterns and may include false positives or miss context-specific risks.
  • Always validate policies in a non-production AWS account before deployment.
  • By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Load sample:

Drag & drop a .json IAM policy file here, or press Enter / Space to browse.

Detection rules

Features

  • Static least-privilege analysis: 11 built-in rules covering wildcard actions / resources, privileged actions, missing conditions, and more.
  • Severity-based grouping: Findings are categorised as CRITICAL / HIGH / MEDIUM / LOW / INFO with a summary count.
  • Per-finding context: Each finding shows the rule ID, the offending Statement (Sid + index), the JSON excerpt, and a remediation suggestion.
  • Toggleable rules: Disable any rule that is too noisy for your context with a single checkbox.
  • Sample policies: Four built-in samples (good / admin / Lambda+PassRole / NotAction misuse) help you explore the rules.
  • Drag & drop input: Drop a .json policy file onto the page to analyse it instantly.
  • Copyable report: Generate a plain-text report of all findings for tickets, code reviews, or pull requests.
  • 100% client-side: No network calls; works offline once the page is loaded.

How to Use

  1. Paste your IAM policy JSON into the textarea, or switch to the Drop / Choose .json tab and load a file.
  2. Optionally toggle individual detection rules on or off.
  3. Click Analyze policy (analysis also runs automatically a moment after you stop typing).
  4. Review findings grouped by severity. Each card includes the offending Statement and a suggested remediation.
  5. Click Copy report to copy a plain-text summary to your clipboard.

Important Notes

  • This tool performs static pattern detection only. It does not evaluate the effective permissions of the policy against an AWS account, nor does it consider Service Control Policies (SCPs), permission boundaries, resource-based policies, or session policies.
  • Findings are heuristic. A finding flagged as HIGH may still be appropriate for your workload (e.g. CI/CD roles intentionally given iam:PassRole). Always interpret findings in context.
  • For full evaluation against a real account, use IAM Access Analyzer policy validation or the IAM Policy Simulator.
  • Only standard JSON IAM policy syntax is supported. CloudFormation YAML and SAM intrinsic functions are not parsed.
  • The textarea content stays in your browser. Nothing is logged, persisted, or transmitted by this page.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi