Skip to content



Tool Description
AWSume A utility for easily assuming AWS IAM roles from the command line
key-conjurer Uses AWS STS to create temporary AWS API credentials for accessing our AWS infrastructure programmatically
gimme-aws-creds CLI that utilizes an Okta IdP via SAML to acquire temporary AWS credentials via AWS STS
leapp Leapp is the DevTool to access your cloud
granted-approvals A Privileged Access Management framework

Policy Creation/Linting

Tool Description
Policy Sentry
Action Hero
  • Sidecar style utility to assist with creating least privilege IAM Policies for AWS
  • Action Hero provides a means to capture all required permissions during the more permissive iterations to make it easier to create an IAM role with just the required permissions
Effective Actions for IAM
  • After you have input your policy JSON, you will see a list of allowed actions by resource; permissions in AWS require an explicit allow to be permitted
iamlive Generate basic AWS IAM policies using client-side monitoring of calls made from the AWS CLI or SDKs
iamfast A VS Code plug-in that generates AWS IAM policies from your code
pike Pike is a tool for determining the permissions or policy required for IAC code
AWS IAM Policy Generator A tool which helps crafting AWS IAM Policies and converting them to IaC

Find Creep/Drift/Overprivilege

Tool Description
  • Remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account
  • Scans accounts for violations of Least Privilege and identifies policies that can lead to Privilege Escalation, Data Exfiltration, Resource Exposure, and Infrastructure Modification
  • Compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method
  • Helps find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies
AWS Key Disabler
  • A small lambda script that will disable access keys older than a given amount of days
  • Discover most privileged entities in the target AWS/Azure environments, including Shadow Admins
  • Analyzes behaviors of temporary tokens
  • Aims to find suspicious creation forms and uses of temporary tokens to detect malicious activity in the account
  • The tool analyzes the AWS account, and creating an excel sheet includes all the currently living temporary tokens
  • Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups
  • Validate all your Customer Policies against AWS Access Analyzer
  • A command line tool that validates AWS IAM Policies in a Terraform template against AWS IAM best practices
  • This tools uses the AWS SSO API to list all users, accounts, permission sets etc. and dumps it into a CSV file for additional parsing or viewing


Tool Description
  • Fine-Grained IAM Roles for Service Accounts for EKS
  • AWS just made pods first class citizens in IAM: rather than intercepting the requests to the EC2 metadata API to perform a call to the STS API to retrieve temporary credentials, AWS made changes in the identity APIs to recognize Kubernetes pods
  • By combining an OpenID Connect (OIDC) identity provider and Kubernetes service account annotations, you can now use IAM roles at the pod level
  • Share AWS resources with groups of AWS accounts in AWS Organizations
  • Reference Organizational Units (OUs), which are groups of AWS accounts in AWS Organizations, in IAM
  • New condition key, aws:PrincipalOrgPaths, in your policies to allow or deny access based on a principal’s membership in an OU
aws-iam-authenticator Use AWS IAM credentials to authenticate to a Kubernetes cluster
guard Kubernetes Webhook Authentication server. Using guard, you can log into your Kubernetes cluster using various auth providers such as Azure, Google, etc.
  • A proxy for AWS's metadata service that gives out scoped IAM credentials from STS