• Unlimited Leave
  • Posts
  • 🐈 Schrodinger's Course 👨‍🏫 and Inventorying IAM Role Permissions

🐈 Schrodinger's Course 👨‍🏫 and Inventorying IAM Role Permissions

Run automation to get a make of all your IAM Policies attached to Roles

Great to be back. This is Unlimited Leave, the AWS Management and Governance Newsletter that is different the moment it is observed.

I’ve returned from a glorious vacation down south and as I had hoped, nothing blew up. I responded to one Slack message with a link to the documentation.

The rest of the 7-day trip I spent watching my kids jump in a pool. It was way more relaxing than it sounds.

I’m happy to be back and have some wonderful information to share.

This week's topics

  • Export a copy of all IAM Permissions Policies

  • AWS Announcements Blogs that caught my attention

  • Greenfield… is a GO!

Export (backup) IAM Policy Documents

In full transparency, ChatGPT 3.5 wrote most of this for me. In the ReadMe.md of the repository is a brief rundown of the prompts and process I used to create it. I had to make a couple of tweaks but I’m fascinated more and more every day with how I can use ChatGPT to save me boatloads of time.

In the most basic description, this Python script exports the IAM Policy Documents in JSON format for every policy (Managed and Inline) Attached to every role in an AWS Account.

My specific use case: I’m about to engage in a large-scale migration of accounts from one AWS Organization to multiple others. In the process, previously staged resources are going to be removed. Enterprise federated access, security agents/monitoring, etc. It is possible roles and/or policies are going to go with those resources.

This script is just a low-impact way to make a copy of everything: Role Names, the names of attached inline, customer, or AWS-managed policies, as well as the content of those policies.

I haven’t done it yet, but I could see this as a Lambda or Scheduled SSM Run Doc to take a daily or weekly snapshot of permissions and store them in a version-enabled S3 Bucket in the account to just have a backup of permissions over time. If something stops working or throws access denied errors you can go back and see what the permissions used to be.

Announcements & Blogs

There are quite a few updates that caught my eye these last 2 weeks. Here are the most impactful in my opinion regarding M&G.

Service Announcements

Helpful Blog Posts

Greenfield Organizations Course is a go for 🚀

I’d be lying if I didn’t say pre-selling a product doesn’t feel a little sketchy to me. I polled this email list multiple times. Enough of you replied saying you would pay for this content.

Sales have never really been my thing. This process is all in an internet marketing playbook. I see it in action all of the time and for the most part, never bite. Being on the other end of it is a strange feeling.

So… I created a platform to support the content and deploy the resources and enough of you who said you wanted it put your money where your mouse is. I sincerely appreciate that. Beyond words.

I’ve updated the Course landing page with more value proposition information and a video better describing the content.

Like Schrodinger's Cat, the course exists. The question of whether there is quality content or not, or any content for that matter won’t be determined until the course is observed.

Because you’ve supported it, I’m full-throttle in the polishing of the content. To make sure I get the course to you promptly, I’m going to place my perfectionistic tendencies (which lead to procrastination) to the side and focus on iterating over time.

If at any time you feel like the value isn’t there or you are tired of waiting, I understand and would be more than happy to refund your purchase.

Another bonus

To show my continued appreciation for your support, pre-sale purchasers will get free access to a walk-through of how to deploy the AWS OIDC IAM Role/IDP Pair required to do the GitLab-CI automation I wrote about and provided a demo to in this previous issue.

As well as the identical process to deploy the OIDC IAM Role/IDP pair to support the deployment of AWS Resources using GitHub Workflow Actions.

If you are still interested in purchasing the pre-sale access to the Greenfield AWS Organization Deployment Course, you can access that HERE.

Review past issues HERE | Share with others HERE
Disclaimer: The resources and topics shared within this newsletter are for informational use only. Any resources deployed or tools implemented are done so at your own risk. Do your research and testing before the implementation of any resource or service deployed for any workload.