Policy Sentry

0.15.1 · active · verified Fri Apr 10

Policy Sentry is an AWS IAM Least Privilege Policy Generator, auditor, and analysis database, currently at version 0.15.1. It compiles database tables based on the AWS IAM Documentation on Actions, Resources, and Condition Keys and leverages that data to create least-privilege IAM policies. It helps organizations limit the blast radius in the event of a breach and scale the creation of secure IAM policies. The project maintains an active release cadence with frequent updates.

Warnings

breaking Policy Sentry has progressively dropped support for older Python versions. Version 0.15.x requires Python 3.10 or higher. Previous versions (0.14.x and 0.13.x) dropped support for Python 3.8 and 3.7, respectively.
Fix: Ensure your environment uses Python >=3.10 when upgrading to policy-sentry 0.15.x.
breaking In version 0.13.0, significant internal changes occurred, including converting path constants from `str` to `Path` objects, removing deprecated code, and altering how AWS documentation is bundled within the wheel. Custom integrations or direct usage relying on these internal details or deprecated functions may break.
Fix: Review the Policy Sentry GitHub releases and documentation for v0.13.0 to understand the specific changes and update any code that interacts with internal path structures or previously deprecated functions.
gotcha When using Policy Sentry as a library, the IAM database is often bundled with the package, making explicit initialization via `policy_sentry initialize` optional for basic usage. However, to fetch the absolute latest AWS IAM data from the AWS website or to apply custom access level overrides, you still need to run `policy_sentry initialize --fetch`.
Fix: If you require the most up-to-date IAM definitions or custom overrides, run `policy_sentry initialize --fetch` as a CLI command before using the library's querying or writing functions that depend on the database.

Install

pip install policy-sentry PyPI (recommended)
pip3 install --user policy_sentry PyPI (user install)
brew tap salesforce/policy_sentry https://github.com/salesforce/policy_sentry brew install policy_sentry Homebrew (macOS)

Imports

write_policy
```
from policy_sentry.writing.policy import write_policy
```
The `policy` module for writing is nested under `policy_sentry.writing`.
get_actions_for_service
```
from policy_sentry.querying.actions import get_actions_for_service
```
Querying functions are organized under `policy_sentry.querying`.

Quickstart

This quickstart demonstrates how to programmatically define policy requirements using a dictionary structure similar to the CLI's YAML templates, and then generate a least-privilege AWS IAM policy in JSON format. It creates a policy allowing read and list access to a specific S3 bucket and its objects.

from policy_sentry.writing.policy import write_policy
import json

# Define the policy requirements using a dictionary that mirrors the YAML template structure
policy_definition = {
    "mode": "crud",
    "name": "MyS3ReadPolicy",
    "read": [
        "arn:aws:s3:::my-unique-bucket",
        "arn:aws:s3:::my-unique-bucket/*"
    ],
    "write": [],
    "list": [
        "arn:aws:s3:::my-unique-bucket"
    ],
    "tagging": [],
    "permissions-management": [],
    "wildcard-only": {
        "single-actions": [],
        "service-read": [],
        "service-write": [],
        "service-list": [],
        "service-tagging": [],
        "service-permissions-management": []
    },
    "skip-resource-constraints": [],
    "exclude-actions": []
}

# Generate the IAM policy
output_policy = write_policy(policy_definition)

print(json.dumps(output_policy, indent=4))

view raw JSON →