https://github.com/rivassec/secure-iam-lint
Python-based linter for AWS IAM policies to catch insecure configurations
https://github.com/rivassec/secure-iam-lint
automation aws devsecops iam linter python security
Last synced: 2 months ago
JSON representation
Python-based linter for AWS IAM policies to catch insecure configurations
- Host: GitHub
- URL: https://github.com/rivassec/secure-iam-lint
- Owner: rivassec
- License: mit
- Created: 2025-04-11T22:23:52.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-04-11T22:29:33.000Z (about 1 year ago)
- Last Synced: 2025-04-12T20:54:03.060Z (about 1 year ago)
- Topics: automation, aws, devsecops, iam, linter, python, security
- Language: Python
- Homepage:
- Size: 8.79 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# secure-iam-lint
[](https://github.com/rivassec/secure-iam-lint/actions/workflows/checkov.yml)
[](https://github.com/rivassec/secure-iam-lint/actions/workflows/test.yml)
[](https://github.com/rivassec/secure-iam-lint/actions/workflows/trivy.yml)
[](LICENSE)
[](https://www.python.org/downloads/)
`secure-iam-lint` is a lightweight CLI scanner for AWS IAM policies. It flags common misconfigurations such as wildcard permissions, missing conditions, and escalation risks. Ideal for CI pipelines and local dev workflows, it helps catch risky IAM patterns early.
## Features
- Flags use of `Action: "*"` and `Resource: "*"`
- Warns on `Allow` statements missing `Condition` blocks
- Detects `iam:PassRole` with wildcard resources
- Identifies `NotAction` and `NotResource` usage
- CLI output designed for readability
- Modular, testable Python structure
## Installation
Clone and install in editable mode (recommended for development):
```bash
git clone https://github.com/rivassec/secure-iam-lint.git
cd secure-iam-lint
python -m venv .venv
source .venv/bin/activate
pip install -e .
```
> PyPI installation is planned for a future release.
## Usage
```bash
iam-lint examples/bad-policy-extended.json
```
### Example Output
```
Findings:
- HIGH Statement 0: Action includes '*' (overly permissive)
- HIGH Statement 0: Resource includes '*' (overly permissive)
- MEDIUM Statement 1: Allow without any Condition block
- CRITICAL Statement 2: iam:PassRole with wildcard resource
- MEDIUM Statement 3: uses NotAction (may be overly permissive)
- MEDIUM Statement 3: uses NotResource (may be overly permissive)
```
Use `--verbose` for additional output.
## Running Tests
Install `pytest` and run:
```bash
pip install pytest
pytest tests/
```
## Project Structure
```
secure-iam-lint/
├── iamlint/ # CLI and rule logic
├── examples/ # Sample IAM policies
├── tests/ # Pytest-based suite
├── iam_lint.py # CLI entry point
├── setup.py # Install/config metadata
└── README.md
```
## Roadmap
Planned features:
- JSON and SARIF output formats
- Severity-based fail thresholds (`--fail-on HIGH`)
- Docker container for CI use
- Configurable rule sets
## Motivation
IAM policy reviews are tedious and error-prone. This tool helps engineers detect obvious risks early — especially in IaC-driven or regulated environments.
## Contributing
Issues and pull requests are welcome. If you have a new rule idea or see a false positive, feel free to open a discussion.
## License
MIT License. See the [LICENSE](LICENSE) file for details.