CloudPolicyLens is a defensive cloud security project for reviewing IAM-style JSON policies. It flags risky permissions, explains why they matter, and gives remediation guidance that is practical for security reviews and pull requests.
- Full administrative access through
Action: "*"or wildcard services. - Wildcard resources on sensitive actions.
- Public or external principals in allow statements.
iam:PassRolewithout tight resource and service constraints.- Sensitive identity actions without MFA conditions.
Allowstatements usingNotAction, which can be dangerously broad.
python -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -e . pytest
cloudpolicylens scan samples\risky-policy.json
pytestcloudpolicylens scan samples\risky-policy.json --jsonThis prints machine-readable findings that can be attached to CI or a pull request review.
- Cloud security reviews need explainability, not just pass/fail checks.
- The analyzer treats each statement independently so reviewers can point to exact policy locations.
- Rules are deterministic and easy to extend for organization-specific guardrails.
- This is safe defensive tooling: it analyzes local JSON files only.