Related, I've been wondering if there's a tool that will generate a least-privilege policy out of an existing set of AWS CloudTrail records. It would be wonderful if I could run terraform from an admin user, pull down the API calls, and build a policy from them.
Sorry for a shameless self-promotion but I've recently written a piece about how it's a common practice to grant web apps a full access to S3 resources using a simple IAM policy and what risks it causes <a href="https://pawelurbanek.com/s3-iam-config" rel="nofollow">https://pawelurbanek.com/s3-iam-config</a>
> and there's no automated tool that will automagically sense the AWS API calls that you perform and then write them for you in a least-privilege manner.<p>Netflix released one two years ago: <a href="https://medium.com/netflix-techblog/introducing-aardvark-and-repokid-53b081bf3a7e" rel="nofollow">https://medium.com/netflix-techblog/introducing-aardvark-and...</a>
I have a question, I recently had the opportunity to use AWS CDK (<a href="https://docs.aws.amazon.com/cdk/latest/guide/home.html" rel="nofollow">https://docs.aws.amazon.com/cdk/latest/guide/home.html</a>) for a project. It seemed to me that CDK automatically does this to a certain degree and if CDK is the future for AWS infrastructure provisioning, this issue should organically go away. Anyone have any input?
Neat project.<p>How does it differ from `aws-iam-generator` released by AWS themselves?<p><a href="https://github.com/awslabs/aws-iam-generator" rel="nofollow">https://github.com/awslabs/aws-iam-generator</a>
At first glance (by the name) I thought this was something that analyzed your AWS usage based on API logs and created an "ideal" policy for to use (or recommend permissions to remove/add).
Is there any way to block the creation of policies containing specific permissions or resources? I know this can be trivially circumvented but if this tool is used in ci/cd it can be a good gate.
In a funny not serious but also totally serious way I want to be friends with everyone who cares about the fact that this repo exists regardless of if they think its worth using.
I completely understand (and have had) the problem, but I don't understand the solution that this offers?<p>Or rather, I didn't without going Readme > Wiki > User Guide > something else - a YAML example should really be in the readme, this looks great!