IAM Armor Open-source IAM & cloud-permissions security scanner
View on GitHub

Default Rule List

All rules included in the IAM Armor open-source default rule pack.

Rule Catalog

Ten built-in rules ship with iamarmor. Use these defaults as your baseline, then tune severities in .iamarmor.yml.

High severity

IAM001High

No Action wildcard

Blocks wildcard actions that grant unconstrained IAM permissions.

Category: Least privilege
IAM002High

No wildcard resource with sensitive actions

Flags risky action/resource combinations such as destructive APIs against *.

Category: Least privilege
IAM005High

No iam:PassRole on wildcard resource

Prevents pass-role escalation when all resources are allowed.

Category: Privilege escalation
IAM006High

No wildcard principal

Disallows broad principals in resource-based policies.

Category: Trust boundaries
IAM007High

Require concrete assume-role principal

Enforces explicit principals in assume_role_policy statements.

Category: Trust boundaries
IAM010High

No AdministratorAccess attachment

Detects direct attachment of the AWS managed AdministratorAccess policy.

Category: Managed policy hygiene

Medium severity

IAM003Medium

No inline policies

Recommends managed policies to improve reuse, reviewability, and audit trails.

Category: Policy management
IAM008Medium

No NotAction in allow statements

Avoids broad implicit grants caused by inverse action matching.

Category: Policy logic safety
IAM009Medium

No NotResource in allow statements

Prevents accidental permission expansion caused by inverse resource matching.

Category: Policy logic safety

Low severity

IAM004Low

Require max_session_duration

Encourages explicit role session boundaries for stronger runtime controls.

Category: Session hardening

For examples and rationale, see STARTER_RULES.md.