This article is a machine translation of the contents of the following URL, which I wrote in Japanese:
https://qiita.com/Nana_777/items/9f13dc07eb8075da0bde
Introduction
This post is the third in the AWS Community Builders Advent Calendar 2025.
At AWS re:Invent 2025, an MCP server called "IAM Policy Autopilot" was announced to assist with policy generation.
In this post, we use this MCP server to verify whether it can address the issue of creating too many initial policies with Infrastructure Composer, which we introduced in a previous post.
↓ [AWS Blog] Simplify IAM Policy Creation with IAM Policy Autopilot, a New Open-Source MCP Server for Builders
↓ Top Announcements of AWS re:Invent 2025
https://aws.amazon.com/jp/blogs/aws/top-announcements-of-aws-reinvent-2025/
↓ See the AWS Community Builders Advent Calendar 2025 here. (Japanese)
https://qiita.com/advent-calendar/2025/aws-community-builders
↓ Previous Infrastructure Composer Article
https://dev.to/aws-builders/aws-i-want-to-tell-you-how-good-infrastructurecomposer-is-devtools-5bj0
[Preparing Code for Modification] Configuring IaC Code Created with Infrastructure Composer
In the previous article, we created an API configuration using API Gateway and a Lambda function.
This time, we'll use Infrastructure Composer to connect the Lambda function and S3 bucket to this configuration and see how the policy settings will look.
↓ Previous article
https://dev.to/aws-builders/aws-devtools-evangelism-infrastructure-composer-edition-3pgo
Creating a connection between a Lambda function and an S3 bucket using Infrastructure Composer
By connecting the Lambda and S3 cards, you can create an association in your IaC code.
Verify that a fairly broad policy is granted
At the time of association, a fairly broad policy is set.
Add code to the Lambda function to retrieve a list of text files in the S3 bucket
Update the Lambda function code to test this.
This time, we added code to retrieve a list of text files in the bucket.
Fixing Excessive Policies Using IAM Policy Autopilot
Configuring the IAM Policy Autopilot Environment
:::note warn
Tested Environment
I am using Kiro (IDE) on a Windows PC.
:::
Clone the Git Repository
git clone --recurse-submodules https://github.com/awslabs/iam-policy-autopilot.git
Navigate to the cloned folder
cd iam-policy-autopilot
Build
cargo build --release
Enter iam-policy-autopilot settings in the MCP configuration file (mcp.json)
"iam-policy-autopilot": {
"command": "【Local PC path】\\iam-policy-autopilot\\target\\release\\iam-policy-autopilot.exe",
"args": ["mcp-server"]
}
Verify that the MCP configuration was successful in the Kiro IDE.
Verify that a checkmark and a list of available tools appear next to the iam-policy-autopilot MCP name.
Request policy modification using IAM Policy Autopilot
The prompt asks you to "Use am-policy-autopilot to modify the policy in template.yaml to a minimal version."
The policy is modified using IAM Policy Autopilot as shown below.
Since this Lambda only retrieves a file list from S3, the resulting policy is "s3:ListBucket" only.
Conclusion
Using IAM Policy Autopilot can significantly reduce the effort required to identify and verify unnecessary permissions.
While a human review will be required to ensure the policy is truly the bare minimum required, it's certainly a useful service for initial policy development.
Previous Article
https://dev.to/aws-builders/aws-devtools-evangelism-infrastructure-composer-edition-3pgo
Top comments (0)