Skip to main content

stave permissions

Resolve and display net effective permissions (NEP) by evaluating all
six AWS IAM policy layers: explicit denies, SCPs, permission boundaries,
identity-based policies, resource-based policies, and transitive role
chains.

All computation runs locally against a snapshot file. No cloud credentials
required.

Subcommands:
  principal   Resolve permissions for a specific principal ARN
  resource    Show who has effective access to a resource
  summary     Aggregate NEP metrics across all principals

Exit Codes:
  0   No findings above threshold
  1   Critical findings exist
  2   High findings (no critical)
  3   Incomplete resolution (snapshot data missing)
  4   Internal error

Examples:
  # Who can access the PHI bucket?
  stave nep resource --snapshot obs.json --resource arn:aws:s3:::phi-records

  # What can this role actually do?
  stave nep principal --snapshot obs.json --principal arn:aws:iam::123:role/app

  # NEP summary for CI/CD gating
  stave nep summary --snapshot obs.json --threshold critical

Usage:
  stave permissions [command]

Available Commands:
  principal   Resolve permissions for a specific principal ARN
  resource    Show who has effective access to a resource
  summary     Aggregate NEP metrics across all principals

Flags:
  -h, --help   help for permissions

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -v, --verbose count          Increase verbosity (-v=INFO, -vv=DEBUG)
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)

Use "stave permissions [command] --help" for more information about a command.