|
|
|
|
|
|
by nulltrace
38 days ago
|
|
|
Most IAM policies start as "whatever made the deploy pass." Need rds:CreateDBInstance? Fine, rds:* it is. Ship it. Months later that same role can wipe the cluster and nobody remembers why it ever had that permission. Separate accounts help, but only if someone actually goes back and cleans it up, which… yeah, doesn't really happen. |
|
|