Generate IAM policies

Generate IAM policies based on CloudTrail events occurred between the given start and end time, in the given regions, by the given identities.


The IAM policies generated by this command are based on events found from CloudTrail at the time the command is executed. There are a few things to keep in mind when generating policies.

  • You need to have CloudTrail enabled, preferably in all regions.

  • The IAM policies generated by this command can contain invalid IAM actions because not all events logged in CloudTrail can be mapped directly to valid IAM actions. You should use the generated policies as a starting point for your own handcrafted and fine-tuned policies.

  • Typically, the performed actions become visible in CloudTrail within 15 minutes. You should wait at least that time before running the command shown above to ensure the generated policies contain all actions. If you suspect that not all actions were included in the generated policy, you should 5 minutes more and then rerun the command.


tkm iam generate-policies \
--start-time <start-time> \
--end-time <end-time> \
[--role-name <role-name>] \
[--identity <identity>]... \
[--region <region>]...

This command is intended to be run with option values generated after running some other command with --show-generate-iam-policies option. For example, to get the IAM policies needed to deploy a stack, you first need to run the deploy stack command with --show-generate-iam-policies option, and then run this command using instructions shown after the deploy stack command.

Here's a typical workflow to generate IAM policies needed to deploy some stacks:

  1. Run the deploy stacks command with --show-generate-iam-policies option and full admin permissions (to ensure the operation doesn't fail due to insufficient permissions). This step should be executed on a non-production environment.

  2. Copy the command to generate IAM policies shown in the deploy stacks command's output.

  3. Wait at least 15 minutes to ensure all events from the previous command are found from CloudTrail.

  4. Run the command you copied in step 2 with a role or user that is allowed to look up events from CloudTrail (see minimum IAM policy for this command).

  5. The command prints the generated policies that you can use to craft the final policies.

Positional arguments

This command has no positional arguments.


In addition to the common options, this command has the following options.

  • --start-time <start time>

    • Include events from CloudTrail after this time. Must be in ISO 8501 format, e.g. 2021-10-05T14:48:00.000Z.

    • Required.

  • --end-time <end time>

    • Include events from CloudTrail before this time. Must be in ISO 8501 format, e.g. 2021-10-05T16:48:00.000Z.

    • Required.

  • --identity <identity>

    • Include events from CloudTrail by this identity. You can use this option multiple times to specify more identities. Must be a valid IAM identity ARN.

    • Optional.

  • --region <region>

    • Include events from CloudTrail from this region. You can use this option multiple times to specify more regions.

    • Optional.

  • --role-name <role>

    • If you are generating policies from actions executed against multiple accounts, you need to provide a name of the IAM role for Takomo to assume from each account to collect the CloudTrail events.

    • Optional.

IAM permissions

These are the minimum IAM permissions required to run this command.

- Sid: CloudTrail
Effect: Allow
Action: cloudtrail:LookupEvents
Resource: "*"
# IAM permissions needed only if policies are generated
# from multiple accounts. Specify the Resource to restrict
# access to specific roles.
- Sid: IAM
Effect: Allow
Action: sts:AssumeRole
Resource: "*"


Generate policies for IAM user [email protected] based on actions executed in eu-west-1 and us-east-1 regions:

tkm iam generate-policies \
--start-time 2021-05-02T16:45:54.169Z \
--end-time 2021-05-02T16:45:54.462Z \
--identity arn:aws:iam::123456789012:user/[email protected] \
--region eu-west-1 \
--region us-east-1