[ajb]

That's the right way of doing it IMO. I've got a PoC script which finds the minimum subset of permissions to allow some action: https://github.com/KanoComputing/aws-tools/blob/master/bin/a...

Haven't had time to productise it yet. I think doing this makes you quite a bit safer, because it means you don't end up giving up and allowing more than you need. However, you still need to understand which actions shouldn't be allowed, so it's not the whole solution.

[ethbro]

That's awesome!

That said, if a customer has to fuzz a platform's settings to discern their effect, the UX definitely needs work.

[all_usernames]

Netflix open sourced a similar tool that watches API calls for a Role and then suggests minimum privilege changes to the attached policy document: https://github.com/Netflix/repokid

[ajb]

That's interesting. That can only work if there's some way of introspecting permissions - which I didn't realise existed. Mine works by experiment. I wonder how fine grained their way is.

[bifrost]

Ooooh I gotta check that out!