A month ago I made a post about IAM Zero, a tool which detects IAM issues and suggests least-privilege policies.
It uses an instrumentation layer to capture AWS API calls and send alerts to a collector - similar to how Sentry, Rollbar, etc capture errors in web applications. The collector has a mapping engine to interpret the API call and suggest one or more policies to resolve the issue.
The response from the post has been overwhelmingly positive (a big thankyou to all of you in the r/aws community for sharing your IAM pain points) - so I decided to spend the last month building IAM Zero to get it ready enough to be released as open source. I've also set up an open-source company to provide long-term support for the tool.
Website here: https://iamzero.dev/
The initial release has automatic least-privilege advisories for S3 and DynamoDB, and will be scaled out to support all AWS services prior to a stable release. IAM Zero currently supports applications and scripts written in Python with support for other languages coming soon. Support for generating infrastructure-as-code deployment roles and requesting roles through the AWS web console are on the roadmap.
IAM Zero is released under the Apache 2.0 licence on GitHub - we're planning on separating the least-privilege advisory library as a separate repository with an API which could be integrated into other projects too (currently the library is part of the main repository). Let me know if you'd be interested in this.
If you're interested in testing IAM Zero I'd love to hear from you via comment or DM. Any feedback is welcome too.