IAM on zoph.me

Speeding Up IAMTrail: One Boto3 Process Instead of 1,500 CLI Invocations

Sat, 04 Apr 2026 07:37:00 +0200

The 46-Minute Problem

The IAMTrail detection engine fetches ~1,500 AWS managed IAM policies every run. The original approach was pure bash:

aws iam list-policies --output json |
    jq -cr '...' |
    xargs -P 16 -n3 sh -c \
      'aws iam get-policy-version --policy-arn $1 --version-id $2 | jq --indent 4 . > "policies/$3"' sh

Looks fine, right? Except each iteration spawns a full AWS CLI process. That means a fresh Python runtime, boto3 import, credential resolution, one single HTTP call, then exit. Times 1,500.

IAMTrail.com: The AWS Managed Policy Archive (Evolved from MAMIP)

Thu, 23 Oct 2025 13:37:00 +0200

📜 The Origins

Back in 2019, Scott Piper started a GitHub repository to track changes to AWS Managed Policies. It was a simple setup, manually triggered but it worked well and was incredibly useful. Using git diff or the Github.com UI, Scott and the community could easily see how policies evolved over time.

At that time, AWS didn’t publicly share the changes made to managed policies by the various “two-pizza” product teams inside AWS.

The day when the AWS Support got access to your S3 data

Wed, 22 Dec 2021 13:37:00 +0200

Update from: 2021-12-23

Official Security bulletin from AWS AWSSupportServiceRolePolicy Informational Update

https://aws.amazon.com/security/security-bulletins/AWS-2021-007/

You will find below details about the security incident that led to this unattended access for millions of AWS customers.

On 22nd December 2021, AWS deployed a new version (v20) of AWSSupportServiceRolePolicy, used by a mandatory role AWSServiceRoleForSupport for AWS Support access to all AWS Accounts. In this policy, they added the action s3:getObject, which gives AWS Support teams access to all customer Amazon S3 data.

Does AWS drink its own champagne? 🍾

Tue, 06 Apr 2021 13:37:00 +0200

TL;DR: AWS Managed Policies are safe. Currently.

:arrows_counterclockwise: Previously in Policy Validation

Before the AWS Access Analyzer (AA) Policy Validation release, a few open source initiatives were available to lint AWS IAM Policies, like Parliament from Duolabs and CloudSplaining (Salesforce).

The tricky part of these tools is that they are community-driven, from volunteer contributors, and most of the master data comes from AWS IAM docs web scraping. It is difficult to maintain over time, especially if the documentation format is changing, or if the documentation is not in sync with the IAM reality. It will be easier for everyone if the one who is providing the rules is the one who creates the validation tool to run against these rules. Isn’t it?

[MAMIP] Monitor AWS Managed IAM Policies

Sat, 22 Feb 2020 13:37:00 +0200

This article was originally posted in September 2019. Updated in February 2020.

Disclaimer

Thanks to @0xdabbad00 from SummitRoute for the original idea and jq parsing.

Purpose

When your production workloads rely on AWS IAM Managed Policies (don’t do this), you will need to be notified when changes occur behind the scenes. It’s also interesting to monitor new AWS service releases ahead of the announcements to get spoiled.

This pet project automates the retrieval (every 4 hours) of new AWS Managed IAM Policies to make it easier to monitor and get alerted when changes occur (by AWS), using the “Watch” feature on GitHub, RSS or a dedicated Twitter Account.