科技回声

9 条评论

bashinator超过 5 年前

Related, I've been wondering if there's a tool that will generate a least-privilege policy out of an existing set of AWS CloudTrail records. It would be wonderful if I could run terraform from an admin user, pull down the API calls, and build a policy from them.

评论 #21266011 未加载

评论 #21265101 未加载

pawurb超过 5 年前

Sorry for a shameless self-promotion but I've recently written a piece about how it's a common practice to grant web apps a full access to S3 resources using a simple IAM policy and what risks it causes <a href="https://pawelurbanek.com/s3-iam-config" rel="nofollow">https://pawelurbanek.com/s3-iam-config</a>

jedberg超过 5 年前

> and there's no automated tool that will automagically sense the AWS API calls that you perform and then write them for you in a least-privilege manner.<p>Netflix released one two years ago: <a href="https://medium.com/netflix-techblog/introducing-aardvark-and-repokid-53b081bf3a7e" rel="nofollow">https://medium.com/netflix-techblog/introducing-aardvark-and...</a>

评论 #21270273 未加载

kevinsundar超过 5 年前

I have a question, I recently had the opportunity to use AWS CDK (<a href="https://docs.aws.amazon.com/cdk/latest/guide/home.html" rel="nofollow">https://docs.aws.amazon.com/cdk/latest/guide/home.html</a>) for a project. It seemed to me that CDK automatically does this to a certain degree and if CDK is the future for AWS infrastructure provisioning, this issue should organically go away. Anyone have any input?

评论 #21264885 未加载

评论 #21264265 未加载

评论 #21267492 未加载

bloblaw超过 5 年前

Neat project.<p>How does it differ from `aws-iam-generator` released by AWS themselves?<p><a href="https://github.com/awslabs/aws-iam-generator" rel="nofollow">https://github.com/awslabs/aws-iam-generator</a>

评论 #21264358 未加载

dmlittle超过 5 年前

At first glance (by the name) I thought this was something that analyzed your AWS usage based on API logs and created an "ideal" policy for to use (or recommend permissions to remove/add).

评论 #21264166 未加载

评论 #21264746 未加载

评论 #21264083 未加载

vageli超过 5 年前

Is there any way to block the creation of policies containing specific permissions or resources? I know this can be trivially circumvented but if this tool is used in ci/cd it can be a good gate.

评论 #21264069 未加载

评论 #21264709 未加载

评论 #21264228 未加载

batoure超过 5 年前

In a funny not serious but also totally serious way I want to be friends with everyone who cares about the fact that this repo exists regardless of if they think its worth using.

评论 #21268950 未加载

评论 #21271342 未加载

OJFord超过 5 年前

I completely understand (and have had) the problem, but I don't understand the solution that this offers?<p>Or rather, I didn't without going Readme > Wiki > User Guide > something else - a YAML example should really be in the readme, this looks great!

评论 #21264973 未加载

9 条评论

bashinator超过 5 年前

评论 #21266011 未加载

评论 #21265101 未加载

pawurb超过 5 年前

jedberg超过 5 年前

评论 #21270273 未加载

kevinsundar超过 5 年前

评论 #21264885 未加载

评论 #21264265 未加载

评论 #21267492 未加载

bloblaw超过 5 年前

评论 #21264358 未加载

dmlittle超过 5 年前

At first glance (by the name) I thought this was something that analyzed your AWS usage based on API logs and created an "ideal" policy for to use (or recommend permissions to remove/add).

评论 #21264166 未加载

评论 #21264746 未加载

评论 #21264083 未加载

vageli超过 5 年前

Is there any way to block the creation of policies containing specific permissions or resources? I know this can be trivially circumvented but if this tool is used in ci/cd it can be a good gate.

评论 #21264069 未加载

评论 #21264709 未加载

评论 #21264228 未加载

batoure超过 5 年前

In a funny not serious but also totally serious way I want to be friends with everyone who cares about the fact that this repo exists regardless of if they think its worth using.

评论 #21268950 未加载

评论 #21271342 未加载

OJFord超过 5 年前

评论 #21264973 未加载

Show HN: Policy_sentry, an AWS IAM Least Privilege Policy Generator

9 条评论

Show HN: Policy_sentry, an AWS IAM Least Privilege Policy Generator

9 条评论