AWS IAM

Create a new IAM role. Args: role_name: The name of the new IAM role assume_role_policy_document: The trust policy document in JSON format path: The path for the role (default: '/') description: Optional description of the role max_session_duration: Maximum session duration in seconds permissions_boundary: Optional ARN of the permissions boundary policy Returns: Dictionary containing the created role details

List IAM policies in the account. Args: scope: Scope of policies to list ("All", "AWS", or "Local") only_attached: Only return policies that are attached path_prefix: Optional path prefix to filter policies max_items: Maximum number of policies to return Returns: Dictionary containing list of policies and metadata

Retrieve the policy document for a managed policy. This tool retrieves the policy document for a specific managed policy version. Use this to examine the actual permissions and wildcards in managed policies. Args: policy_arn: The ARN of the managed policy version_id: Optional version ID (defaults to current version) Returns: ManagedPolicyResponse containing the policy document and details

Attach a managed policy to an IAM user. Args: user_name: The name of the IAM user policy_arn: The ARN of the policy to attach Returns: Dictionary containing attachment status

Detach a managed policy from an IAM user. Args: user_name: The name of the IAM user policy_arn: The ARN of the policy to detach Returns: Dictionary containing detachment status

Create a new access key for an IAM user. Args: user_name: The name of the IAM user Returns: Dictionary containing the new access key details

Delete an access key for an IAM user. Args: user_name: The name of the IAM user access_key_id: The access key ID to delete Returns: Dictionary containing deletion status

Simulate IAM policy evaluation for a principal. Args: policy_source_arn: ARN of the user or role to simulate action_names: List of actions to simulate resource_arns: Optional list of resource ARNs to test against context_entries: Optional context entries for the simulation Returns: Dictionary containing simulation results

List IAM groups in the account. This tool retrieves a list of IAM groups from your AWS account with optional filtering. Use this to get an overview of all groups or find specific groups by path prefix. ## Usage Tips: - Use path_prefix to filter groups by organizational structure - Adjust max_items to control response size for large accounts - Results may be paginated for accounts with many groups Args: path_prefix: Optional path prefix to filter groups max_items: Maximum number of groups to return Returns: GroupsListResponse containing list of groups and metadata

Get detailed information about a specific IAM group. This tool retrieves comprehensive information about an IAM group including group members, attached policies, and inline policies. Use this to get a complete picture of a group's configuration and membership. ## Usage Tips: - Use this after list_groups to get detailed information about specific groups - Review attached policies to understand group permissions - Check group members to see who has these permissions Args: group_name: The name of the IAM group Returns: GroupDetailsResponse containing comprehensive group information

Create a new IAM group. This tool creates a new IAM group in your AWS account. The group will be created without any permissions by default - you'll need to attach policies separately. ## Security Best Practices: - Use descriptive group names that indicate the group's purpose - Set appropriate paths for organizational structure - Follow the principle of least privilege when assigning permissions later Args: group_name: The name of the new IAM group path: The path for the group (default: '/') Returns: CreateGroupResponse containing the created group details

Delete an IAM group. Args: group_name: The name of the IAM group to delete force: If True, removes all members and attached policies first Returns: Dictionary containing deletion status

Add a user to an IAM group. Args: group_name: The name of the IAM group user_name: The name of the IAM user Returns: GroupMembershipResponse containing operation status

Remove a user from an IAM group. Args: group_name: The name of the IAM group user_name: The name of the IAM user Returns: GroupMembershipResponse containing operation status

Attach a managed policy to an IAM group. Args: group_name: The name of the IAM group policy_arn: The ARN of the policy to attach Returns: GroupPolicyAttachmentResponse containing operation status

Detach a managed policy from an IAM group. Args: group_name: The name of the IAM group policy_arn: The ARN of the policy to detach Returns: GroupPolicyAttachmentResponse containing operation status

Create or update an inline policy for an IAM user. This tool creates a new inline policy or updates an existing one for the specified user. Inline policies are directly embedded in a single user, role, or group and have a one-to-one relationship with the identity. ## Security Best Practices: - Follow the principle of least privilege when creating policies - Use managed policies for common permissions that can be reused - Regularly review and audit inline policies - Test policies using simulate_principal_policy before applying Args: user_name: The name of the IAM user policy_name: The name of the inline policy policy_document: The policy document in JSON format Returns: InlinePolicyResponse containing the policy details and operation status

Retrieve an inline policy for an IAM user. This tool retrieves the policy document for a specific inline policy attached to a user. Args: user_name: The name of the IAM user policy_name: The name of the inline policy Returns: InlinePolicyResponse containing the policy document and details

Delete an inline policy from an IAM user. This tool removes an inline policy from the specified user. The policy document will be permanently deleted and cannot be recovered. Args: user_name: The name of the IAM user policy_name: The name of the inline policy to delete Returns: Dictionary containing deletion status

Create or update an inline policy for an IAM role. This tool creates a new inline policy or updates an existing one for the specified role. Inline policies are directly embedded in a single user, role, or group and have a one-to-one relationship with the identity. Args: role_name: The name of the IAM role policy_name: The name of the inline policy policy_document: The policy document in JSON format Returns: InlinePolicyResponse containing the policy details and operation status

Retrieve an inline policy for an IAM role. This tool retrieves the policy document for a specific inline policy attached to a role. Args: role_name: The name of the IAM role policy_name: The name of the inline policy Returns: InlinePolicyResponse containing the policy document and details

Delete an inline policy from an IAM role. This tool removes an inline policy from the specified role. The policy document will be permanently deleted and cannot be recovered. Args: role_name: The name of the IAM role policy_name: The name of the inline policy to delete Returns: Dictionary containing deletion status

List all inline policies for an IAM user. This tool retrieves the names of all inline policies attached to the specified user. Args: user_name: The name of the IAM user Returns: InlinePolicyListResponse containing the list of policy names

List all inline policies for an IAM role. This tool retrieves the names of all inline policies attached to the specified role. Args: role_name: The name of the IAM role Returns: InlinePolicyListResponse containing the list of policy names