aws

orestis 2022-05-03T06:41:57.567479Z

So I just discovered that AWS roles have a limit of 10/20 managed policies attached. So I guess that many fine-grained policies is a dead end, and instead I should use fewer coarse-grained policies (or even a single policy file). For example, a single policy that deals with all S3 buckets etc that can be accessed, rather than one-policy-per-bucket. Is that correct or am I missing something?

Leaf Garland 2022-05-03T08:15:48.952559Z

Look at resource based policies? e.g. attach your policies to the buckets, instead of to the identities.

orestis 2022-05-03T08:50:17.927059Z

Thanks, I didn't know those existed. Might solve some (but not all) cases for services that do support them.

Max 2022-05-04T03:17:46.404729Z

How do you manage your policies? If you’re using something like terraform, in my experience there’s little benefit to managed policies, since in your tf code there’s not much of a difference between a managed policy and a bunch of inline policies that use the same text that comes out of a single file

orestis 2022-05-04T05:19:56.531079Z

I practice ClickOps :) Terraform or something like it is on the way some time this year.

orestis 2022-05-04T05:20:37.162579Z

AWS managed policies are good because they get updated by AWS as services evolve. We need some of them for eg ElasticBeanstalk.