[bifrost]

Preach on!

The only way I've really been able to understand it well is by writing code that uses boto and seeing what errors out lol.

I've found some really interesting bugs/inconsistencies too. Nothing horrible but its def unintuitive sometimes.

[ajb]

That's the right way of doing it IMO. I've got a PoC script which finds the minimum subset of permissions to allow some action: https://github.com/KanoComputing/aws-tools/blob/master/bin/a...

Haven't had time to productise it yet. I think doing this makes you quite a bit safer, because it means you don't end up giving up and allowing more than you need. However, you still need to understand which actions shouldn't be allowed, so it's not the whole solution.

[ethbro]

That's awesome!

That said, if a customer has to fuzz a platform's settings to discern their effect, the UX definitely needs work.

[all_usernames]

Netflix open sourced a similar tool that watches API calls for a Role and then suggests minimum privilege changes to the attached policy document: https://github.com/Netflix/repokid

[ajb]

That's interesting. That can only work if there's some way of introspecting permissions - which I didn't realise existed. Mine works by experiment. I wonder how fine grained their way is.

[bifrost]

Ooooh I gotta check that out!