Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Reads an existing IAM role's attached policies, queries CloudTrail (via Access Analyzer's policy-generation API) for actions that role actually used over a window, and proposes a minimized replacement policy.
role_arn: target IAM role ARN.window_days: how many days of history to consider (max 90).~/.aws/credentials) with iam:GetRolePolicy, iam:ListAttachedRolePolicies, accessanalyzer:StartPolicyGeneration, accessanalyzer:GetGeneratedPolicy.output_path: defaults to iam-min-<role>.json.aws iam list-attached-role-policies --role-name $(basename <role_arn>).aws iam get-policy-version.aws accessanalyzer start-policy-generation --policy-generation-details principalArn=<role_arn>. Poll get-generated-policy until status is SUCCEEDED.unused (no calls in window) or risky (e.g., iam:*, s3:DeleteBucket).must-keep allowlist).aws accessanalyzer validate-policy --policy-document file://new.json --policy-type IDENTITY_POLICY and ensure zero ERROR findings.Two artifacts: iam-min-<role>.json (the minimized policy) and iam-min-<role>.md (the rationale: actions removed by service, sample CloudTrail events that justified what stayed). Exit 0 if at least one action was removed.
Apply the new policy to a non-production role first: clone the role, attach the new policy, and run the workload's known operations against it. Watch CloudTrail for AccessDenied events for 24h. Iterate by adding any denied action back. Run aws accessanalyzer get-finding for any open findings on the role; the count must not increase post-rollout.
Other publishers' experience with this skill. Self-rating is blocked.
Sign in and publish to the registry to leave a rating.
No ratings yet. Be the first.
Same domains or capabilities as amitte/aws-iam-policy-minimizer.
Read-only AWS CloudWatch surface — query_logs (Logs Insights), get_metric_data, list_log_groups. Auth via STS-assumed role.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.
Scan a container image with Trivy or Grype and surface fixes ranked by exploitability and patch availability.
Audit a CORS configuration for over-permissive Origin, Methods, and Headers and propose a tightened policy keyed to actual cross-origin call patterns.
Tighten a Content-Security-Policy by stripping wildcards and verifying the result against actual page resource loads observed in browser logs.
Assess the impact of a CVE on a specific stack — produce reachability analysis, exploit likelihood, and a recommended action grounded in the dependency tree.