So, if IAM is the keys to the city for Lambda, how can I be sure I'm using IAM correctly on AWS (Since AWS documentation is not great). Any suggestions? (asking for a friend...)
(Presenter here) - My opinion is that there is no magic bullet here. There are some 3rd party tools that can help to audit your IAM usage for large organizations, but I think manual review is necessary. I think Amazon is also starting to roll out some of there own tools. There are some general best practices you can implement - keep production on a different _account_, don't allow the use '*' anywhere, things like that.
After the talk, I spoke to a nice Dutch man who told me the way they handled it at their company was to randomly turn off an overly broad permission and see who came to complain!
After the talk, I spoke to a nice Dutch man who told me the way they handled it at their company was to randomly turn off an overly broad permission and see who came to complain!