diff --git a/.gitignore b/.gitignore
index 6c01545..285eaab 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-iam_definition.json
\ No newline at end of file
+iam_definition.json
+venv/
diff --git a/README.md b/README.md
index 4809395..2b9d98e 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,16 @@ The addition of an action to these lists can be subjective. Is a pull request in
 
 The script [policy-generation.py](scripts/policy-generation.py) allows you to customize your policies to an extent. If there are specific actions you want to exclude from the explicit deny, you can specify them using `--exclude-actions`. If there are a handful of resource ARNs that you need to access, say a specific S3 Bucket, you can use the `--exclude-resources` flag, and they will be added to the policy using a `NotResource` field.
 
+First, install the script's dependencies. A [Python venv](https://docs.python.org/3/library/venv.html) is an easy way:
+
+```bash
+python3 -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+```
+
+Then you can run the script:
+
 ```bash
 usage: policy-generation.py [-h] [--debug] --risk {PrivEsc,ResourceExposure,CredentialExposure,DataAccess,ALL}
                             [--exclude-resources EXCLUDE_RESOURCES [EXCLUDE_RESOURCES ...]]
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..8392d54
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1 @@
+PyYAML==6.0.2
diff --git a/scripts/policy-generation.py b/scripts/policy-generation.py
index 110614d..2737323 100755
--- a/scripts/policy-generation.py
+++ b/scripts/policy-generation.py
@@ -52,7 +52,7 @@ def main(args):
             statement['Resource'] = "*"
 
         for action_name in action_list[risk_type]['Actions']:
-            if action_name.lower in excluded_actions:
+            if action_name.lower() in excluded_actions:
                 continue
             if type(action_name) is str:
                 statement['Action'].append(action_name)