In my company, developers write policies, but they have to be approved by someon... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		thayne on Aug 9, 2020 \| parent \| context \| favorite \| on: IAM is hard – Thoughts on $80M fine from the Capit... In my company, developers write policies, but they have to be approved by someone with ops expertise (usually me). And the policies are often either too broad, or not sufficiently tested, and missing permissions for things it needed. Sometimes the same policy has both problems. I don't blame the developers. You can hardly expect every developer to become an expert on AWS's IAM system. Especially given how inconsistent it can be.

partyboat1586 on Aug 9, 2020 [–]

>or not sufficiently tested

How do you test a policy?

thayne on Aug 10, 2020 | [–]

You set up a policy in a test environment and run the code there. Of course, generally, the policy can't be identical across environments, so you can run into errors.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact