localstack-iam
IAM Policy Analyzer
Analyze IAM policies, detect permission violations, and automatically generate least-privilege policies based on actual usage.
Capabilities
- Enforce IAM policies locally
- Detect permission violations
- Auto-generate policies from access patterns
- Analyze existing policies for issues
- Test policies before deploying to AWS
Prerequisites
IAM enforcement requires LocalStack Pro:
export LOCALSTACK_AUTH_TOKEN=<your-token>
IAM Enforcement Modes
Enable Enforcement
# Soft mode - logs violations but allows requests
ENFORCE_IAM=soft localstack start -d
# Enforced mode - denies unauthorized requests
ENFORCE_IAM=1 localstack start -d
Configuration
| Mode | Behavior |
|---|---|
| Disabled (default) | No IAM checks |
soft |
Logs violations, allows requests |
1 / enforced |
Full enforcement, denies unauthorized |
Creating IAM Resources
Create a User with Policy
# Create user
awslocal iam create-user --user-name dev-user
# Create access key
awslocal iam create-access-key --user-name dev-user
# Attach policy
awslocal iam attach-user-policy \
--user-name dev-user \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Create Custom Policy
# Create policy from JSON file
awslocal iam create-policy \
--policy-name my-custom-policy \
--policy-document file://policy.json
# Example policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Policy Analysis
Detect Violations
- Enable soft enforcement mode
- Run your application
- Check logs for access denied messages
# View IAM-related log entries
localstack logs | grep -i "access denied"
localstack logs | grep -i "iam"
Auto-Generate Policies
Based on access patterns observed in soft mode, create least-privilege policies:
- Run application with
ENFORCE_IAM=soft - Collect all accessed resources and actions from logs
- Generate minimal policy covering observed access
Testing Policies
Simulate Policy
# Test if action would be allowed
awslocal iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::000000000000:user/dev-user \
--action-names s3:GetObject \
--resource-arns arn:aws:s3:::my-bucket/file.txt
Validate Policy
# Check policy syntax
awslocal accessanalyzer validate-policy \
--policy-document file://policy.json \
--policy-type IDENTITY_POLICY
Best Practices
- Start with soft enforcement to discover required permissions
- Use least-privilege principles when creating policies
- Test policies locally before deploying to AWS
- Regularly audit and refine policies based on actual usage
- Use IAM roles instead of users where possible
More from localstack/skills
localstack
Manage LocalStack container lifecycle. Use when users need to start, stop, restart, or check status of LocalStack, configure LocalStack environment variables, or troubleshoot LocalStack container issues.
77localstack-deploy
Deploy infrastructure to LocalStack using IaC tools. Use when users want to deploy Terraform, CDK, CloudFormation, or Pulumi to LocalStack, or need help configuring tflocal, cdklocal, pulumilocal, or awslocal wrappers.
41localstack-logs
Analyze LocalStack logs and debug issues. Use when users need to view LocalStack logs, debug AWS API errors, troubleshoot Lambda functions, identify error patterns, or enable debug mode.
39localstack-state
Manage LocalStack state and snapshots. Use when users want to save, load, export, or import LocalStack state, work with Cloud Pods, create local snapshots, or enable persistence across restarts.
38localstack-extensions
Manage LocalStack Extensions. Use when users want to install, uninstall, list, or configure LocalStack extensions, or develop custom extensions to extend LocalStack functionality.
32