Coder Social home page Coder Social logo

Comments (3)

mcpeak avatar mcpeak commented on July 26, 2024

Is the idea for the rewritten inline policy (with deny) to override something that is allowed in a managed policy? For our internal use we generally limit use of managed policies in part for this reason and try to avoid 'deny' because it makes the logic harder to follow.

That being said it would be a pretty easy change to move unused services to a deny section rather than removing them from the policy entirely. It's not something that I would prioritize given our use and the other things we're working on for Repokid, but I'd happily accept a PR to add this as long as it was a configurable option.

It's also worth keeping in mind that policies have a size limit of ~10K so as you add more to the policy (rather than remove) you have to be careful to stay under the limit.

from repokid.

et304383 avatar et304383 commented on July 26, 2024

Well we're just trying to see how this could work into our existing flow.

We were hoping this tool could help us remove unused permissions so that we're not struggling at project start to figure out all the required permissions for the project in a new AWS account.

However, I think the real purpose that Netflix intended was to remove permissions that are no longer required - as opposed to removing permissions that simply aren't being used. It's pretty hard to remove permissions that aren't needed if they're never used since trusted advisor only displays info about services used at some previous point.

from repokid.

mcpeak avatar mcpeak commented on July 26, 2024

We're trying to address both uses. We deploy new applications with a default profile that covers typical actions an application would need to perform. Access Advisor displays usage data about any service that is allowed by a policy. For any service that is allowed but either never used or not recently used we rewrite the policy to remove access.

FWIW we're working on a way to blacklist specific permissions/services for a role so that we can preserve access that is needed but gets infrequently used.

I'm happy to have a quick conversation to discuss roadmap and the stuff we're working on and find out more about how you're trying to use it.

from repokid.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.