What does HackerNews think of policy_sentry?

IAM Least Privilege Policy Generator

Language: Python

#16 in Amazon Web Services
#201 in Hacktoberfest
#54 in Security
AWS Creates New Policy-Based Access Control Language Cedar | Feb 2023
Expand Context ↕
All of the sdks support client side monitoring (CSM), so these sort of tools can be built client side. https://boto3.amazonaws.com/v1/documentation/api/1.10.46/gui...

afaics the only challenge is mapping some of the apis to iam as its only 85% 1:1

There's also tools for helping with iam like (generator, and linter)

https://github.com/salesforce/policy_sentry

https://github.com/duo-labs/parliament
Show HN: Endgame – An AWS Pentesting tool to backdoor or expose AWS resources | Feb 2021
@kmcquade ur awesome ! we are users of https://github.com/salesforce/policy_sentry and definitely definitely https://github.com/salesforce/cloudsplaining .

If I could give you guys money, I would. You should totally build a startup around it.

How to give access to AWS resources without creating 100s of IAM Users? | Aug 2020
The peeps at salesforce created this IAM Least Privilege Policy Generator - https://github.com/salesforce/policy_sentry
IAM is hard – Thoughts on $80M fine from the Capital One Breach | Aug 2020
You are so right on the SELinux comparison. Of course, in this case, there are way more developers that are required to write them.

Reiterating what was mentioned in the thread - the best way to avoid this wildcard situation and make it easier for developers is to use Policy Sentry[0]

Thought I’d mention this for those who read the title and the comments instead of clicking on the tools. This will solve most of your problems with writing IAM policies for machine roles.

[0] https://github.com/salesforce/policy_sentry

CapOneMe – a vulnerable cloud environment to demonstrate the Capital One breach | Dec 2019
Expand Context ↕
With this.

https://github.com/salesforce/policy_sentry

(Disclaimer: I am the author)

Not one step exactly, but it is by far the easiest way to write least privilege IAM policies. Otherwise, it becomes impossible to ensure IAM policies are written securely and at scale. This way, all custom IAM policies are written with the exact same methodology.