Private beta · Join the waitlist

ESLint for AWS IAM

Catch over-permissioned Terraform IAM policies in your PRs before they merge — automatically, as a GitHub required status check.

iam-armor check run

$ iamarmor scan ./terraform/

Scanning 12 files...

✖ ERROR main.tf:12 no-wildcard-actions

Action: "*" is not allowed in IAM policies

✖ ERROR iam.tf:7 no-passrole-star

iam:PassRole with Resource: "*" allows privilege escalation

⚠ WARN main.tf:23 no-inline-policies

Prefer managed policies over inline policies

2 errors, 1 warning — merge blocked

How it works

Set up in 5 minutes. Works automatically on every PR from that point on.

Authorize iam-armor on your org or specific repos. No CI configuration needed.

Drop a config file in your repo root to set rule severities. Or skip it to use all defaults.

Every PR touching .tf files triggers an automatic IAM policy scan. No manual steps.

Violations block the merge with inline annotations. Fix them, re-push, and the check goes green.

Purpose-built for Terraform IAM. Not a generic SAST scanner.

🔍

Runs as a required status check. Block merges automatically. Inline annotations on exact lines.

⚡

No LLM flakiness. Each rule is a precise, documented check. Zero false positives by design.

🔓

The engine and CLI are Apache 2.0. Run locally, in any CI, or build your own tooling.

🔒

We scan only the PR diff. No full repo clones. No data retention beyond the check run.

⚙️

Set each rule to error, warn, or off. Exclude paths. Write custom rules (Business plan).

☁️

Understands aws_iam_role, aws_iam_policy, aws_iam_role_policy, and jsonencode() blocks.

Join teams using iam-armor to enforce least-privilege IAM as part of their normal PR workflow.

Free for public repos and small teams. No credit card required.