[t34543]

Aren’t public EBS snapshots the underlying mechanism for public AMIs? I’ve ran into complex permissions in a golden image deploy model where the same AMI is used across multiple accounts.

There needs to be controls like S3 where you can explicitly block public data.

AWS IAM kind of sucks.

[spydum]

I’m convinced the last few years of ramped up concern about AWS “blast radius” is an admission by AWS professionals that NOBODY gets IAM right.