Introduction

If you’ve been paying attention to the AI space lately, you’ve probably noticed MCPs (Model Context Protocols) multiplying faster than AWS service announcements. There’s an MCP for your database, your filesystem, your git repos… probably even one for ordering more MCPs. It’s like the npm package phenomenon all over again, but for AI tools.

So what is one more MCP? :P I know, I know. But if you’ve ever spent hours debugging IAM policies, hear me out. Introducing iam-lens-mcp.

The Problem: IAM is Hard

Let’s be honest—understanding AWS IAM permissions is notoriously difficult. You’ve got identity policies, resource policies, permission boundaries, declarative policies, SCPs, RCPs… and they all interact in delightful ways that make you question your life choices. Traditional debugging means clicking through the console, running AWS CLI commands, or staring at dense JSON until your eyes glaze over.

What if you could just… ask?

Enter iam-lens: Google Maps for AWS IAM

Before we get to the MCP, let’s talk about the foundation: iam-lens by David Kerber. This excellent tool describes itself as “Google Maps for AWS IAM”—and that’s exactly what it is. It provides visibility into your permission structures by simulating IAM requests against actual AWS policies you’ve collected, all locally without making AWS API calls.

The workflow is quite straightforward:

  1. Use iam-collect to snapshot your IAM state (policies, roles, users, SCPs, etc.)
  2. Use iam-lens to query that snapshot

iam-lens offers three powerful commands (as of Nov 2025):

  • simulate: Test if a principal can perform an action on a resource
  • who-can: Find all principals with permission to access a resource
  • principal-can: Generate consolidated policy showing all permissions for a principal

Example CLI usage:

# Can this role delete S3 buckets?
iam-lens simulate \
  --principal arn:aws:iam::123456789112:role/data-pipeline \
  --action s3:DeleteBucket --resource arn:aws:s3:::prod-data

# Find out who can assume/pass a role
iam-lens who-can \
  --resource arn:aws:iam::123456789112:role/ImportantRole \
  --actions sts:AssumeRole iam:PassRole

The Bridge: iam-lens-mcp

iam-lens-mcp wraps the iam-lens functionality as a Model Context Protocol server, giving you a natural language interface to IAM analysis.

Using the MCP server, you can leverage the iam-lens tool by asking questions like:

  • “Who can access the S3 bucket: arn:aws:s3:::mybucket?”
  • “Can the data-pipeline role access the prod-secrets S3 bucket?”
  • “Find all IAM principals with Administrator level permissions across the organization”
  • “Show me all principals with S3:DeleteBucket permission”

The MCP exposes direct tools corresponding to the iam-lens commands:

  • simulate_iam_request: Test whether a principal can perform specific actions
  • who_can_access_resource: Identify which principals can access a resource
  • principal_can: Show consolidated permissions for a user or role

Additionally, it exposes the tool: query_iam_data which helps with exploratory analysis by directly reading the iam-collect snapshots.

Getting Started

Head over to the GitHub repository: https://github.com/agarabhishek/iam-lens-mcp for installation and setup instructions.

Some Real-World Use Case Examples

Exploratory Analysis:

  • “What IAM users/roles exist across all accounts in my organization?”
  • “Show me all permissions for arn:aws:iam::123456789112:role/MyRole”

During security reviews:

  • “Find all principals with permission to modify KMS keys”
  • “List all S3 buckets and show which ones have public access policies”

Debugging permission denials:

  • “Can this Lambda function write to DynamoDB?”

Closing Thoughts

AWS IAM is complex, and it’s not getting simpler. Tools like iam-lens make understanding your permission landscape much more manageable, and wrapping it in an MCP makes it accessible right where you’re already working—in your AI assistant.

So yes, it’s another MCP. But if you’ve ever spent hours debugging IAM policies, you might appreciate this one.

Give it a try, and feel free to open issues or contribute on GitHub.