[tbrock]

Can someone explain why you'd ever want to run this in the non-dryrun mode?

I understand that if you have these problems you've already effectively granted those permissions anyway but actually executing them before someone finds them lowers the bar quite a bit for other baddies to attack.

[hnjst]

To test autoremediation and alerting. At least in the environment I'm evolving these days it makes sense.

[ramimac]

Exposing resources to a specific "evil principal" via Endgame would be reasonable in some attack simulations/red team engagements

[stevehawk]

for me, my environments are in different AWS accounts and can be torn down and stood back up rather quickly. so it wouldn't be a big deal to let this destroy a dev environment in the name of science so that i could implement improvements.

[artful-hacker]

Red team exercises come to mind.