localstack-iam

Analyze IAM policies, detect permission violations, and automatically generate least-privilege policies based on actual usage.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "localstack-iam" with this command: npx skills add localstack/skills/localstack-skills-localstack-iam

IAM Policy Analyzer

Analyze IAM policies, detect permission violations, and automatically generate least-privilege policies based on actual usage.

Capabilities

  • Enforce IAM policies locally

  • Detect permission violations

  • Auto-generate policies from access patterns

  • Analyze existing policies for issues

  • Test policies before deploying to AWS

Prerequisites

IAM enforcement requires LocalStack Pro:

export LOCALSTACK_AUTH_TOKEN=<your-token>

IAM Enforcement Modes

Enable Enforcement

Soft mode - logs violations but allows requests

ENFORCE_IAM=soft localstack start -d

Enforced mode - denies unauthorized requests

ENFORCE_IAM=1 localstack start -d

Configuration

Mode Behavior

Disabled (default) No IAM checks

soft

Logs violations, allows requests

1 / enforced

Full enforcement, denies unauthorized

Creating IAM Resources

Create a User with Policy

Create user

awslocal iam create-user --user-name dev-user

Create access key

awslocal iam create-access-key --user-name dev-user

Attach policy

awslocal iam attach-user-policy
--user-name dev-user
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Create Custom Policy

Create policy from JSON file

awslocal iam create-policy
--policy-name my-custom-policy
--policy-document file://policy.json

Example policy.json

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::my-bucket/*" } ] }

Policy Analysis

Detect Violations

  • Enable soft enforcement mode

  • Run your application

  • Check logs for access denied messages

View IAM-related log entries

localstack logs | grep -i "access denied" localstack logs | grep -i "iam"

Auto-Generate Policies

Based on access patterns observed in soft mode, create least-privilege policies:

  • Run application with ENFORCE_IAM=soft

  • Collect all accessed resources and actions from logs

  • Generate minimal policy covering observed access

Testing Policies

Simulate Policy

Test if action would be allowed

awslocal iam simulate-principal-policy
--policy-source-arn arn:aws:iam::000000000000:user/dev-user
--action-names s3:GetObject
--resource-arns arn:aws:s3:::my-bucket/file.txt

Validate Policy

Check policy syntax

awslocal accessanalyzer validate-policy
--policy-document file://policy.json
--policy-type IDENTITY_POLICY

Best Practices

  • Start with soft enforcement to discover required permissions

  • Use least-privilege principles when creating policies

  • Test policies locally before deploying to AWS

  • Regularly audit and refine policies based on actual usage

  • Use IAM roles instead of users where possible

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

localstack

No summary provided by upstream source.

Repository SourceNeeds Review
44-localstack
General

localstack-state

No summary provided by upstream source.

Repository SourceNeeds Review
21-localstack
General

localstack-deploy

No summary provided by upstream source.

Repository SourceNeeds Review
21-localstack
General

localstack-logs

No summary provided by upstream source.

Repository SourceNeeds Review
20-localstack