simplifying AWS IAM policies


73 points | by bscript 15 days ago


  • bscript 15 days ago
    Sometimes, reading AWS IAM policies can be tough for me. I prefer visuals, so I often use the IAM Policy Simulator. To make things even easier, I built a small tool that turns IAM policies into simple graphs. is a good tool designed to help users visualize, analyze, and improve their AWS IAM policies.

    More details:

  • bdcravens 14 days ago
    Perhaps it would make sense to link to the repo on the page? As best I can tell, you can easily self-host your tool (would need to update the redirects in the index.html).

  • cyberax 14 days ago
    IAM policies can be so complex, that become close to unusable.

    Use multiple AWS accounts, and keep your policies simple. One account for DB, one for the backend servers, etc. Each environment (prod, staging, dev) also gets its own set of accounts.

    This way, a misconfigured policy won't give admin access to everything.

    • potamic 14 days ago
      Wouldn't that lead to cross account policies, which appear to be even more quirky?
    • shakiXBT 14 days ago
      Having one account per database/backend/frontend is not only overkill, but actually a bad practice. You're going to have to expose your DB to the internet instead of having everything inside a single VPC.

      What you should do instead is have one account per environment (as you said).

      • tenplusfive 14 days ago
        I've recently stumbled upon the possibility to share a VPC and use one VPC with multiple accounts:

        I'm honestly not sure if thats a great idea, but this might be a possible way to do one account per DB/backend/frontend in a somewhat sane way.

      • Hikikomori 14 days ago
        You'll find that a plan like this is not overkill once you outgrow single accounts. Though I would do one account per system with Shared VPCs instead.
      • kroolik 14 days ago
        You can peer-connect vpcs cross-account
        • dilyevsky 14 days ago
          Up to 125 peers before you have to setup a transit vpc which is a lot more complex
          • Hikikomori 14 days ago
            Transit gateway can have 5000 VPCs connected in a region, and you have multiple TGWs. And rather than have a VPC per account you can use Shared VPCs instead.
    • Hikikomori 14 days ago
      One account per system and environment with shared vpcs is great.
    • laurent_du 14 days ago
      I honestly can't imagine a situation where this would be a good advice. Can you give an example of such an IAM policy?
  • zarzavat 14 days ago
    This is a very bad name for a product.
    • bscript 14 days ago
      You might be right. My focus wasn't on the name; I just wanted to create something useful for my day-to-day job and share it with others. The goal was never to commercialize the product … so maybe that’s why the name was bad!
      • sclangdon 14 days ago
        He may be referring to the fact that it could be pronounced Auschwitz. I must admit, my immediate thought on reading the name was "why would someone name their app after a concentration camp?"
        • bscript 14 days ago
          wow, I learned something new today
          • dgb23 14 days ago
            I had the same reaction. Even just a hyphen between like aws-viz would probably do wonders.
  • l3x4ur1n 14 days ago