We’re excited to announce the release of our new free community cloud security tool IAM AWS Policy Evaluator (IAM APE), designed to help developers optimize their Identity and Access Management (IAM) policies on Amazon Web Services (AWS). 

The IAM AWS Policy Evaluator is an open source, automated tool that we designed to simplify the process of calculating effective permissions for an AWS entity. The tool gathers all the IAM policies present in your account, and then calculates the effective permissions that each entity – User, Group, or Role – has. It presents you with a single policy, summarizing all of their actual permissions.

The tool is available on Orca Security’s official GitHub repo, as well as through PyPI, the official Python Package Index. While the benefits of the AWS IAM Policy Evaluator tool are included in the Orca Cloud Security Platform as part of our CIEM capabilities, at Orca it is our mission to make the cloud a safer place for everyone, which is why we’ve made our tool available to the developer community.

The Complexity of AWS IAM Policies

As cloud infrastructures continue to grow, it becomes increasingly important to have robust Identity and Access Management (IAM) policies in place to ensure secure access to resources. AWS provides a comprehensive IAM service that allows for fine-grained control over access to various resources within an AWS account. However, with great power comes great complexity, and managing and auditing IAM policies can quickly become a daunting task. This is why we decided to develop “IAM APE” and make it available to the cloud security community.

How Orca’s AWS Policy Evaluator Simplifies IAM Policy Management

The tool is specifically designed to simplify the often complex task of IAM policy management, making it easier for developers, system administrators, or anyone responsible for IAM policies to ensure that their AWS accounts are properly secured against unauthorized access. With our tool, developers can easily visualize and manage their IAM policies, identify and remove unused permissions, and gain better visibility into potential security risks.

IAM APE usage and additional arguments

Ensuring the correct access level

IAM APE is especially useful for organizations with complex IAM policies, where it can be difficult to keep track of all the policies and permissions assigned to each entity. Users alone can have inline policies, attached managed policies (both those managed by AWS and customers), a permission boundary, and not to mention – they can be part of multiple IAM Groups! With IAM APE, administrators can quickly and easily determine the permissions assigned to a particular entity and ensure that they have the correct level of access to the resources they need.

Using IAM APE is straightforward. It can use any of your preconfigured AWS CLI profiles, or you can provide it with the authorization details report generated by AWS. Enter the ARN of the entity you want to know the permissions of, and the tool will generate a report detailing the effective permissions of that entity. The report provides a clear overview of the permissions assigned to the entity, making it easy to identify any potential security issues or areas where access can be improved.

In summary, IAM APE is a powerful tool for organizations looking to simplify their IAM policy management and ensure secure access to their AWS resources. By automating the process of calculating effective permissions, IAM APE helps administrators save time and resources while also improving the overall security posture of the organization. 

IAM APE takes an entity’s IAM policies from all possible sources and presents them in a single evaluated policy

Making cloud security more accessible 

Our objective is to make the cloud a safer place. We believe that security should be accessible to everyone, which is why we’ve made our tool available to the entire community. The research team at Orca Security has played an integral role in AWS cloud security risk discovery and education, through exposing vulnerabilities including Superglue and BreakingFormation, as well as releasing the Cloud Risk Encyclopedia to the public. We’ve previously released other tools to the community, including:

With the same goal in mind, we believe IAM APE will provide unique benefits to the AWS community.  Give IAM APE a try and take the first step towards securing your AWS infrastructure. It is available on Orca’s official GitHub repo, as well as through PyPI, the official Python Package Index.