HEXL
Catalog/security-iam-policy

Security

IAM policy over-permission & privesc analyzer API

Analyzes a PROVIDED IAM policy document JSON for over-permissioning: flags 'Action':'*' / service wildcards (s3:*), 'Resource':'*' on sensitive actions, full admin, NotAction/NotResource Allow inversions, missing-MFA on destructive actions, and known privilege-escalation action sets (iam:CreatePolicyVersion, iam:PassRole+lambda:CreateFunction, iam:AttachUserPolicy, etc.), returning findings + severity + remediation and a 0-100 least-privilege score. Answers 'Is this IAM policy over-permissioned?','Can this role escalate privileges?'.

Price$0.01per request
MethodPOST
Route/v1/security/iam-policy
StatusLive
MIME typeapplication/json
Rate limit120/minute
CacheNo cache
securityiamawsleast-privilegeprivescpolicywildcardscoring
API URLhttps://x402.hexl.dev/v1/security/iam-policy
Integration docs
Example request
{
  "policy": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "iam:PassRole",
          "lambda:CreateFunction",
          "s3:*"
        ],
        "Resource": "*"
      }
    ]
  }
}
Example response
{
  "score": 29,
  "leastPrivilege": false,
  "statementsAnalyzed": 1,
  "findingsCount": 3,
  "privilegeEscalation": true,
  "fullAdmin": false,
  "findings": [
    {
      "id": "stmt-0-service-wildcard-s3:*",
      "severity": "high",
      "title": "Statement 0 allows all actions for a service (s3:*)",
      "remediation": "Scope s3 to only the needed actions."
    },
    {
      "id": "stmt-0-resource-star",
      "severity": "high",
      "title": "Statement 0 uses \"Resource\":\"*\" with sensitive actions",
      "remediation": "Restrict Resource to specific ARNs."
    },
    {
      "id": "privesc-passrole-lambda",
      "severity": "critical",
      "title": "iam:PassRole + lambda:CreateFunction enables role assumption via Lambda",
      "remediation": "Remove this action or constrain it to non-IAM resources; it enables privilege escalation."
    }
  ]
}
Input schema
{
  "type": "object",
  "required": [
    "policy"
  ],
  "properties": {
    "policy": {
      "type": "object",
      "additionalProperties": true,
      "description": "IAM policy document JSON with a Statement array.",
      "examples": [
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "iam:PassRole",
                "lambda:CreateFunction",
                "s3:*"
              ],
              "Resource": "*"
            }
          ]
        }
      ]
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}