localstack/localstack-iam
skills/iam-policy-analyzer/SKILL.md
Analyze and enforce IAM policies in LocalStack. Use when users want to enable IAM enforcement, detect permission violations, auto-generate least-privilege policies, or test IAM policies locally before deploying to AWS.
$ install --global
skillsauthnpx skillsauth add localstack/skills localstack-iamInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 12, 2026, 6:42 AM169.9s1 file scanned
SKILL.md
- name:
- localstack-iam
- description:
- Analyze and enforce IAM policies in LocalStack. Use when users want to enable IAM enforcement, detect permission violations, auto-generate least-privilege policies, or test IAM policies locally before deploying to AWS.
IAM Policy Analyzer
Analyze IAM policies, detect permission violations, and automatically generate least-privilege policies based on actual usage.
Capabilities
- Enforce IAM policies locally
- Detect permission violations
- Auto-generate policies from access patterns
- Analyze existing policies for issues
- Test policies before deploying to AWS
Prerequisites
IAM enforcement requires LocalStack Pro:
export LOCALSTACK_AUTH_TOKEN=<your-token>
IAM Enforcement Modes
Enable Enforcement
# Soft mode - logs violations but allows requests
ENFORCE_IAM=soft localstack start -d
# Enforced mode - denies unauthorized requests
ENFORCE_IAM=1 localstack start -d
Configuration
| Mode | Behavior |
|------|----------|
| Disabled (default) | No IAM checks |
| soft | Logs violations, allows requests |
| 1 / enforced | Full enforcement, denies unauthorized |
Creating IAM Resources
Create a User with Policy
# Create user
awslocal iam create-user --user-name dev-user
# Create access key
awslocal iam create-access-key --user-name dev-user
# Attach policy
awslocal iam attach-user-policy \
--user-name dev-user \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Create Custom Policy
# Create policy from JSON file
awslocal iam create-policy \
--policy-name my-custom-policy \
--policy-document file://policy.json
# Example policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Policy Analysis
Detect Violations
- Enable soft enforcement mode
- Run your application
- Check logs for access denied messages
# View IAM-related log entries
localstack logs | grep -i "access denied"
localstack logs | grep -i "iam"
Auto-Generate Policies
Based on access patterns observed in soft mode, create least-privilege policies:
- Run application with
ENFORCE_IAM=soft - Collect all accessed resources and actions from logs
- Generate minimal policy covering observed access
Testing Policies
Simulate Policy
# Test if action would be allowed
awslocal iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::000000000000:user/dev-user \
--action-names s3:GetObject \
--resource-arns arn:aws:s3:::my-bucket/file.txt
Validate Policy
# Check policy syntax
awslocal accessanalyzer validate-policy \
--policy-document file://policy.json \
--policy-type IDENTITY_POLICY
Best Practices
- Start with soft enforcement to discover required permissions
- Use least-privilege principles when creating policies
- Test policies locally before deploying to AWS
- Regularly audit and refine policies based on actual usage
- Use IAM roles instead of users where possible
Related Skills
localstack/localstack-state
devops
VerifiedTrustedCommunity
Manage LocalStack state and snapshots. Use when users want to save, load, export, or import LocalStack state, work with Cloud Pods, create local snapshots, or enable persistence across restarts.
10SKILL.mdUpdated May 12, 2026
localstack/localstack-logs
development
VerifiedTrustedCommunity
Analyze LocalStack logs and debug issues. Use when users need to view LocalStack logs, debug AWS API errors, troubleshoot Lambda functions, identify error patterns, or enable debug mode.
10SKILL.mdUpdated May 12, 2026
localstack/localstack
testing
VerifiedTrustedCommunity
Manage LocalStack container lifecycle. Use when users need to start, stop, restart, or check status of LocalStack, configure LocalStack environment variables, or troubleshoot LocalStack container issues.
10SKILL.mdUpdated May 12, 2026
localstack/localstack-extensions
tools
VerifiedTrustedCommunity
Manage LocalStack Extensions. Use when users want to install, uninstall, list, or configure LocalStack extensions, or develop custom extensions to extend LocalStack functionality.
10SKILL.mdUpdated May 12, 2026