Hey there. This looks interesting. It looks like you're enumerating IAM managed policies. How do you handle inline policies? That seems like it'd be a blindspot if you're just enumerating the policies the account.
We also return the inline policies for users, groups, and roles. There's an open issue to convert them to standard form that I expect will be done in the next week, so this will also be possible.
Thanks for sharing the source, I've also parsed IAM policies with Go and it requires some thought. Your solution is nicer to look at I think. I worked with a guy whose basic philosophy was whatever AWS recommends do the exact opposite and his IAM policies are rats nest of denies and nots. It is usually easier to rewrite them than debug them - looking to see if this might ease the burden.