[thefrozenone]

I believe trailscraper (https://github.com/flosell/trailscraper) does this. See `trailscraper generate`.

[kmcquade]

It does, but some disclaimers: 1. The generated policies have Resources set to all, not to a specific resource ARN 2. It downloads all of the CloudTrail logs. This takes a while. Cloudtracker (https://github.com/duo-labs/cloudtracker) uses Amazon Athena, which is more efficient. In the future, I'd like to see a combined approach between all three of these tools to generate IAM policies based on Cloudtrail logs. 3. It is accurate to the point where there is a 1-to-1 mapping with the IAM actions vs CloudTrail logs. As I mentioned in other comments, since not every IAM Action is logged in CloudTrail and not every CloudTrail action matches IAM Actions, the results are not always accurate.

With that being said, it is a wicked tool and you should try it out.

[bashinator]

Thank you! I'm glad to see there's progress on this. I've been holding off putting the infrastructure automation into CI/CD, due to the incredible amount of work it would take to create a least-access policy. Tooling like this will help a lot.