IAM Armor Static analyzer for AWS IAM policies in Terraform
View on GitHub
Open source · MIT licensed

IAM Armor

Static security scanner for Terraform IAM policies. Catch over-permissioned roles, wildcards, and escalation paths before they merge.

Get started View on GitHub

CLI available today. Hosted GitHub App is not yet public.

What it scans

IAM Armor analyzes Terraform IAM resources and flags risky permission patterns with deterministic, explainable rules.

Wildcards

Detects Action:* and risky Resource:* combinations.

Privilege escalation

Flags broad iam:PassRole and administrator policy attachments.

Trust policies

Catches wildcard or ambiguous principals in assume role flows.

Policy hygiene

Identifies anti-patterns like NotAction/NotResource usage.

Quick install

Installation commands
pip install iamarmor
iamarmor scan .

Also supported: pipx install iamarmor and uvx iamarmor scan .

CI snippet

CI integration snippet
- name: Scan IAM policies
  run: |
    pip install iamarmor
    iamarmor scan . --fail-on high

Use this in pull request workflows to block merges on high-risk IAM findings.

Pre-commit hook

Pre-commit hook configuration
repos:
  - repo: https://github.com/iam-armor/iamarmor
    rev: v0.2.0
    hooks:
      - id: iamarmor

Add to .pre-commit-config.yaml to catch IAM findings on every commit.

Example CLI output

$ iamarmor scan modules/iam/
HIGH IAM001 Action: "*" is not allowed.
HIGH IAM005 iam:PassRole on Resource: "*".
MEDIUM IAM003 Inline policy detected; prefer managed policy.
3 findings (2 high, 1 medium) · exit 1

FAQ

Is IAM Armor open source?

Yes. The scanner is open source under the MIT license at github.com/iam-armor/iamarmor.

Does it require AWS credentials?

No. It statically analyzes Terraform source and runs offline.

Can I run it in GitHub Actions or any CI?

Yes. Install via pip, run iamarmor scan, and gate merges with --fail-on.

Is the GitHub App available?

Not yet. The OSS CLI is available today; the hosted app is planned separately.