v0.1.0

awsdeny turns cryptic AWS AccessDenied errors into clear, actionable explanations — telling you exactly what blocked the request, why, and how to fix it.

This is the initial public release (v0.1.0). API and output format may evolve before v1.0.

Highlights

• Parses AccessDenied errors and extracts action / resource / principal / reason
• Heuristic catalog matches the most common denial patterns (identity-based, SCPs, permission boundaries, bucket policies)
• Suggests concrete IAM fixes with copy-pastable JSON
• --enrich mode (Pro) uses ambient AWS credentials to fetch the actual policy and run simulate-principal-policy for higher confidence
• Output formats: human, JSON, SARIF, GitHub Actions annotations
• Generates CloudWatch Insights queries to find similar denials
• Available as a CLI and as a GitHub Action

Quick Start

CLI:

awsdeny explain --error "User: arn:aws:iam::123:role/MyRole is not authorized to perform: s3:GetObject on resource: arn:aws:s3:::my-bucket/data.csv"

GitHub Action:

- uses: LeRedTeam/awsdeny@v0.1.0
  if: failure()
  with:
    error: ${{ steps.deploy.outputs.stderr }}

See the README for the full reference, supported error patterns, and the IAM permissions needed for --enrich.