What to watch out for
Statement by statement
About this tool
An IAM policy is a JSON document that decides who can do what in an AWS account. Each statement combines an effect (Allow or Deny), a set of actions, the resources they apply to, optionally a principal, and conditions that must hold. The grammar is precise but dense — a few wildcards and condition operators can hide how much access a policy really grants.
This tool parses the document and rewrites each statement as a sentence: which actions are allowed or denied, on which resources, for whom, and under what conditions. It then highlights patterns worth a second look — full administrative access, a public principal, broad service wildcards, NotAction/NotResource footguns and privilege-escalation actions — and calls out good controls like enforced MFA or TLS.
Parsing happens locally — the policy you paste never leaves your browser. The explanation is a deterministic translation of the JSON, not legal or security advice; always review against your own requirements.
Frequently asked questions
Does it send my policy anywhere or use an LLM?
No. The explanation is generated by a deterministic rule engine running entirely in your browser. Nothing is uploaded and no AI service is called, so account IDs, ARNs and principals stay on your device.
What kinds of policies does it understand?
Identity-based policies, resource-based policies and role trust policies. It normalizes single or multiple statements, string or array values, principal blocks, and the common condition operators and global condition keys.
Are the risk callouts a complete security audit?
No. They flag common high-impact patterns — full admin (Action and Resource both "*"), public principals, broad service wildcards, NotAction/NotResource, and privilege-escalation actions — but they are heuristics, not a substitute for least-privilege review or tools like IAM Access Analyzer.