Adds access_check command, a proof-of-concept feature that I don't have time to work much more on right now. The concept is that given a resource (such as an S3 bucket), identify all of the IAM users and roles that have access to that resource. This can use wildcards for the ARN. This takes both IAM policies and IAM boundaries into consideration of the principals. It does not consider resource policies or SCPs. You can further scope this to a specific IAM privilege. It also takes the principal tags into consideration in IAM conditions.
This ends up not doing exactly the type of things you might want, because if you specify an S3 bucket, it identifies only those privileges that act on S3 buckets, not S3 objects. Further, if you specify an EC2, it doesn't consider the Security Groups, VPCs, etc. that are also very relevant to the question of who can impact that EC2.
The concepts around IAM conditions are also fairly incomplete, especially because it doesn't consider the resource tags or any resource specific variables.