Understand Your Policies.
Fix What Matters.

Trying to understand AWS access?

You're not alone. It's messy, inconsistent, and critical.

Use the Tools

Dozens of policy types

A maze of org structure

Constant change

No single source of truth

but you still have to know:

Who can access this S3 bucket?

What will happen if we deploy this SCP?

Who has iam:PassRole on *?

Who can delete our production database?

Can this role become an admin?

Who has access from outside our org?

It's not you, it's harder than it should be.

Use Our Free, Open Source Tools to Help

Get answers to real AWS access questions today

iam-collect

View on GitHub

Collect IAM, org, and resource policies from across all accounts. Ridiculously configurable and built to scale to any size.

iam-lens

View on GitHub

Google Maps for IAM. Analyze effective access, simulate requests, and get detailed analysis of every single permission.

Collect all policies from your AWS org

npm install -g @cloud-copilot/iam-collect
iam-collect init
iam-collect download

See who can access a resource

iam-lens who-can \
  --actions s3:GetObject \
  --resource arn:aws:s3:::our-company-data/financials.xlsx

Find all access to a sensitive resource

iam-lens who-can --resource arn:aws:rds:us-west-2:111222333444:cluster:ProductionCluster

Test permissions locally, modify policies with confidence

iam-lens simulate \
  --principal arn:aws:iam::111122223333:role/ProdDeployRole \
  --action lambda:UpdateFunctionCode \
  --resource arn:aws:lambda:ap-south-1:111122223333:function:CustomerSignup \
  --verbose

See a consolidated policy with everything a principal can do

iam-lens principal-can \
  --principal arn:aws:iam::111122223333:user/DevOpsElevated

In use at scale by teams with thousands of accounts and hundreds of thousands of principals.

You can use them today →

Want More? It's Coming

Next up: tools that help you prevent problems—not just find them

Model the impact of SCPs before they are deployed

Detect privilege escalation risks

Monitor access to sensitive resources

Analyze Terraform plan impact before deployment

Diff IAM policies across time or environments

Trace failed requests to the exact cause

Inventory externally shared resources and roles

Map trust across organizations

Help Shape What's Next

We're working with teams who care about access and want to get ahead of the risk

Security teams

who want to catch the gaps before the wrong person does

Platform teams

who want to deploy changes without breaking prod

Compliance and GRC teams

who need fast, reliable answers to: "Who has access to what?"

We're building with early users. Want in?

Cloud Copilot
GitHubContact

© 2025 Cloud Copilot. Tools for AWS IAM.