Try Bridgecrew

Least privilege AWS IAM using Terraform

AirIAM moves existing AWS IAM configurations to a least privilege Terraform.
It scans AWS IAM activity and creates a new template that gives every user or process the exact set of permissions it uses.


AirIAM is written in Python and provides a simple method to identify unused permissions, cluster similar entities and manage version-controlled IAM policies.


Discover excessive permissions
AirIAM remove unwanted access to AWS resources by activity baseline maintained in access advisor. It detects over permissive access and rightsizes permissions based on activity.

Make IAM maintainable
Cluster users, services and roles into groups by their IAM activity in the past 90 days (configurable). This will find similar entities in your IAM and will help you maintain order across your organization.

Version control your IAM
AWS Identity and Access Management enables you to manage access to AWS services and resources securely. IAM gives you fine-grained access control over which actions can be performed on a given resource in AWS. However, it introduces a new level of complexity AirIAM Codifies all AWS IAM entities into a terraform template that can be committed into a source control system and tracked as part of your SDLC. This might come in useful if your environment was created manually and you would like to migrate the IAM entities into infrastructure code.

Easily integrated with policy as code
AirIAM can easily integrate with any infrastructure code policy engine such as it's sibling: Checkov. Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure managed in Terraform or Cloudformation and detects misconfigurations.

Simple and open-source

Install from pypi using pip

Detect unused permissions and entities and mark them for deletion

Cluster entities by their real-life activity. Make your IAM maintainable

Export results into version controlled terraform code

Install from pypi using pip

Select an input folder that contains your Terraform & Cloudformation files and run scans

Export results to a color-coded cli print

Integrate scans to your ci/cd pipelines

Checkov on Twitter

Join our community and stay up to date