It's a "hidden" (in that it's not documented very well or advertised much by AWS) feature of the AWS SDKs. I think it was likely added for debugging purposes originally, but security tools have started to hook into it as a more local and compete version of the kinds of logs you'd see in CloudTrail.
I've used it mostly for debugging and temporary monitoring of service calls.
I'm curious if the tooling could be made to work with a "default deny" policy, that is, is there enough info to generate the IAM policies when you get "permission denied"?
I've used it mostly for debugging and temporary monitoring of service calls.
https://summitroute.com/blog/2020/05/25/client_side_monitori...