{"id":2664,"library":"policy-sentry","title":"Policy Sentry","description":"Policy Sentry is an AWS IAM Least Privilege Policy Generator, auditor, and analysis database, currently at version 0.15.1. It compiles database tables based on the AWS IAM Documentation on Actions, Resources, and Condition Keys and leverages that data to create least-privilege IAM policies. It helps organizations limit the blast radius in the event of a breach and scale the creation of secure IAM policies. The project maintains an active release cadence with frequent updates.","status":"active","version":"0.15.1","language":"en","source_language":"en","source_url":"https://github.com/salesforce/policy_sentry","tags":["aws","iam","security","policy","least-privilege"],"install":[{"cmd":"pip install policy-sentry","lang":"bash","label":"PyPI (recommended)"},{"cmd":"pip3 install --user policy_sentry","lang":"bash","label":"PyPI (user install)"},{"cmd":"brew tap salesforce/policy_sentry https://github.com/salesforce/policy_sentry\nbrew install policy_sentry","lang":"bash","label":"Homebrew (macOS)"}],"dependencies":[],"imports":[{"note":"The `policy` module for writing is nested under `policy_sentry.writing`.","wrong":"from policy_sentry.util.policy import write_policy","symbol":"write_policy","correct":"from policy_sentry.writing.policy import write_policy"},{"note":"Querying functions are organized under `policy_sentry.querying`.","wrong":"from policy_sentry.actions import get_actions_for_service","symbol":"get_actions_for_service","correct":"from policy_sentry.querying.actions import get_actions_for_service"}],"quickstart":{"code":"from policy_sentry.writing.policy import write_policy\nimport json\n\n# Define the policy requirements using a dictionary that mirrors the YAML template structure\npolicy_definition = {\n    \"mode\": \"crud\",\n    \"name\": \"MyS3ReadPolicy\",\n    \"read\": [\n        \"arn:aws:s3:::my-unique-bucket\",\n        \"arn:aws:s3:::my-unique-bucket/*\"\n    ],\n    \"write\": [],\n    \"list\": [\n        \"arn:aws:s3:::my-unique-bucket\"\n    ],\n    \"tagging\": [],\n    \"permissions-management\": [],\n    \"wildcard-only\": {\n        \"single-actions\": [],\n        \"service-read\": [],\n        \"service-write\": [],\n        \"service-list\": [],\n        \"service-tagging\": [],\n        \"service-permissions-management\": []\n    },\n    \"skip-resource-constraints\": [],\n    \"exclude-actions\": []\n}\n\n# Generate the IAM policy\noutput_policy = write_policy(policy_definition)\n\nprint(json.dumps(output_policy, indent=4))","lang":"python","description":"This quickstart demonstrates how to programmatically define policy requirements using a dictionary structure similar to the CLI's YAML templates, and then generate a least-privilege AWS IAM policy in JSON format. It creates a policy allowing read and list access to a specific S3 bucket and its objects."},"warnings":[{"fix":"Ensure your environment uses Python >=3.10 when upgrading to policy-sentry 0.15.x.","message":"Policy Sentry has progressively dropped support for older Python versions. Version 0.15.x requires Python 3.10 or higher. Previous versions (0.14.x and 0.13.x) dropped support for Python 3.8 and 3.7, respectively.","severity":"breaking","affected_versions":">=0.13.0"},{"fix":"Review the Policy Sentry GitHub releases and documentation for v0.13.0 to understand the specific changes and update any code that interacts with internal path structures or previously deprecated functions.","message":"In version 0.13.0, significant internal changes occurred, including converting path constants from `str` to `Path` objects, removing deprecated code, and altering how AWS documentation is bundled within the wheel. Custom integrations or direct usage relying on these internal details or deprecated functions may break.","severity":"breaking","affected_versions":">=0.13.0"},{"fix":"If you require the most up-to-date IAM definitions or custom overrides, run `policy_sentry initialize --fetch` as a CLI command before using the library's querying or writing functions that depend on the database.","message":"When using Policy Sentry as a library, the IAM database is often bundled with the package, making explicit initialization via `policy_sentry initialize` optional for basic usage. However, to fetch the absolute latest AWS IAM data from the AWS website or to apply custom access level overrides, you still need to run `policy_sentry initialize --fetch`.","severity":"gotcha","affected_versions":"All"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}