[joshuanapoli]

Iamlive sounds useful for someone who has something running with wide open permissions and wants to get started with narrowing down the permissions. It wastes a lot of time to discover necessary permissions one-by-one through permission-denied errors.

Tag-based policies (attribute based access control) really simplifies IAM policy management. These are more reusable, so there is permission discovery isn’t needed as often.

[flurie]

ABAC is ideally much more than just scoping small sets of policy to tags. I think the problem of trying to shoehorn ABAC into AWS's IAM system, even with something implementing proper ABAC on top of it, is that you run the risk of hitting limits on role policy attachments (hard limit of 20!). There is probably a way to juggle user function across different roles, though then there's a risk of exhausting roles or still not being able to shoehorn a minimally viable policy for some function based on fine-grained attributes.

[coredog64]

In theory, ABAC solves a lot of problems. In practice, there’s no mandate for AWS product teams to support ABAC in a consistent fashion.

Assuming it doesn’t cause networking issues, IMO the best approach is to finely scope AWS accounts. They’re free, and Amazon includes some reasonable tools for working with them. The major downside is the double charge on Transit Gateway traffic.

[gingerlime]

could you expand on that? my familiarity is very limited with IAM (as fun as getting teeth pulled), and this sounds interesting.

[uzakov]

I can try to explain it in a simplified fashion: When provisioning entities (EC2 instances for example) you go through certain settings (for this example I am talking about a manual provisioning through the UI, not IaC, CLI etc) and one of the things you can do is give EC2 instance a tag. There are a number of reasons to do tagging, to name a few: To make it easier to find a particular instance, cost optimisation, see who owns it. After this you write a policy that says what user/entity can do. This policy can take advantage of the tag, to say: "Only user, who has a tag XYZ can stop this EC2 instance that has tag XYZ" Let me know if that does not make sense and I can go a level simpler