IAM Policy Autopilot MCP Server

How to use

You use the MCP server to enable your AI coding assistant to generate and refine IAM policies based on your application code. Start the MCP server locally and connect your MCP client to it. The server analyzes SDK calls in your code, produces baseline policies, and lets your assistant help you tailor permissions for your specific use case. Always review the generated policies before deploying them.

How to install

Prerequisites: you need Rust to build from source if you choose that path. You may also use prebuilt binaries via the provided installation options.

Option 1. Using uvx (recommended) to run the MCP server directly after installation.

Option 2. Installing with pip and running the MCP server via the Python package.

Option 3. Direct installation script to place the MCP server utility on your system path (MacOS/Linux only).

# Option 1: run with uvx (recommended)
uvx iam-policy-autopilot

# Option 2: install with pip and run mcp-server
pip install iam-policy-autopilot
# Then start the MCP server
iam-policy-autopilot mcp-server

# Option 3: direct installation script (MacOS/Linux)
curl -sSL https://github.com/awslabs/iam-policy-autopilot/raw/refs/heads/main/install.sh | sudo sh

Configuration snippets for MCP clients

Configure your MCP client to connect to the MCP server. Use one of the provided stdio configurations to launch the server from your client’s environment.

{
  "mcpServers": {
    "iam_policy_autopilot": {
      "command": "uvx",
      "args": ["iam-policy-autopilot", "mcp-server"],
      "env": {
        "AWS_PROFILE": "your-profile-name",
        "AWS_REGION": "us-east-1"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

Using the MCP server with pip-based workflow

{
  "mcpServers": {
    "iam_policy_autopilot": {
      "command": "iam-policy-autopilot",
      "args": ["mcp-server"],
      "env": {
        "AWS_PROFILE": "your-profile-name",
        "AWS_REGION": "us-east-1"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

Notes on usage and security

IAM Policy Autopilot generates baseline identity-based policies. Review and refine them to align with your security requirements before deploying. The tool analyzes code deterministically but your coding assistant may add additional context or ARNs during infrastructure-as-code generation. Always verify the final policies.

Best practices and caveats

Use service hints to limit analysis to the AWS services your application actually uses. This helps reduce unnecessary permissions. The final policy may still include actions from other services if they are required by your operations.

Advanced usage and MCP server features

The MCP server supports starting in stdio or HTTP transport. When starting with HTTP transport, you can host the MCP remotely and connect your coding assistant to it. Ensure your environment provides the necessary AWS credentials for policy application and policy uploads if you intend to apply changes automatically.

CLI usage overview

The CLI provides commands to generate policies, fix AccessDenied errors, and start the MCP server. Use the mcp-server command to run the server locally and enable your MCP client to request policy generation.

Security

Review all policies produced by the autopilot tool before deployment. The tool focuses on baseline policy generation and does not replace comprehensive security reviews or compliance checks.

License

This project is licensed under the Apache-2.0 License.

generate_policies

Generates complete IAM policy documents from source files by analyzing AWS SDK calls and producing baseline permissions for application roles.

fix_access_denied

Analyzes AccessDenied errors and proposes or applies IAM policy changes to address the permission issues.

mcp_server

Starts the MCP server locally to enable integration with MCP clients and AI coding assistants.