localstack-iam

by @localstack in DevOps & Cloud

# Install this skill:

npx skills add localstack/skills --skill "localstack-iam"

Install specific skill from multi-skill repository

# Description

Analyze and enforce IAM policies in LocalStack. Use when users want to enable IAM enforcement, detect permission violations, auto-generate least-privilege policies, or test IAM policies locally before deploying to AWS.

# SKILL.md

name: localstack-iam
description: Analyze and enforce IAM policies in LocalStack. Use when users want to enable IAM enforcement, detect permission violations, auto-generate least-privilege policies, or test IAM policies locally before deploying to AWS.

IAM Policy Analyzer

Analyze IAM policies, detect permission violations, and automatically generate least-privilege policies based on actual usage.

Capabilities

Enforce IAM policies locally
Detect permission violations
Auto-generate policies from access patterns
Analyze existing policies for issues
Test policies before deploying to AWS

Prerequisites

IAM enforcement requires LocalStack Pro:

export LOCALSTACK_AUTH_TOKEN=<your-token>

IAM Enforcement Modes

Enable Enforcement

# Soft mode - logs violations but allows requests
ENFORCE_IAM=soft localstack start -d

# Enforced mode - denies unauthorized requests
ENFORCE_IAM=1 localstack start -d

Configuration

Mode	Behavior
Disabled (default)	No IAM checks
`soft`	Logs violations, allows requests
`1` / `enforced`	Full enforcement, denies unauthorized

Creating IAM Resources

Create a User with Policy

# Create user
awslocal iam create-user --user-name dev-user

# Create access key
awslocal iam create-access-key --user-name dev-user

# Attach policy
awslocal iam attach-user-policy \
  --user-name dev-user \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Create Custom Policy

# Create policy from JSON file
awslocal iam create-policy \
  --policy-name my-custom-policy \
  --policy-document file://policy.json

# Example policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Policy Analysis

Detect Violations

Enable soft enforcement mode
Run your application
Check logs for access denied messages

# View IAM-related log entries
localstack logs | grep -i "access denied"
localstack logs | grep -i "iam"

Auto-Generate Policies

Based on access patterns observed in soft mode, create least-privilege policies:

Run application with ENFORCE_IAM=soft
Collect all accessed resources and actions from logs
Generate minimal policy covering observed access

Testing Policies

Simulate Policy

# Test if action would be allowed
awslocal iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::000000000000:user/dev-user \
  --action-names s3:GetObject \
  --resource-arns arn:aws:s3:::my-bucket/file.txt

Validate Policy

# Check policy syntax
awslocal accessanalyzer validate-policy \
  --policy-document file://policy.json \
  --policy-type IDENTITY_POLICY

Best Practices

Start with soft enforcement to discover required permissions
Use least-privilege principles when creating policies
Test policies locally before deploying to AWS
Regularly audit and refine policies based on actual usage
Use IAM roles instead of users where possible

# Supported AI Coding Agents

This skill is compatible with the SKILL.md standard and works with all major AI coding agents:

⚡ Amp 🚀 Antigravity 🤖 Claude Code 🦀 Clawdbot 📝 Codex ▶️ Cursor 🤖 Droid 💎 Gemini CLI 🐙 GitHub Copilot 🪿 Goose 📊 Kilo Code 🔧 Kiro CLI 💻 OpenCode 🦘 Roo Code 🌲 Trae 🏄 Windsurf

Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.