|
|
|
|
|
|
by coredog64
1454 days ago
|
|
|
IAM isn’t fun, but there’s lots of options. https://pypi.org/project/access-undenied-aws/ will allow you to start with least privilege and fix specific issues. https://github.com/iann0036/iamlive allows an admin to perform the action via CLI and capture the policy. Access advisor can inspect how you actually use the role and give suggestions on what to remove. A more helpful suggestion is to experiment with these tools and then find gaps in IAM actions and submit those as feature requests via your TAM. |
|
|
I've also experienced the AWS console being less than stellar at fault-tolerance when acting within very restrictive, targeted IAM roles. The only solution would be an overly broad permissions grant which is not always viable. Or well, if you spend enough money you can try to beg your TAM to get it fixed, but in the meantime between "now and never", your solution would still be pushing empty commits.