Posted On: Oct 5, 2022

AWS Identity and Access Management (IAM) Access Analyzer policy generation has expanded support to identify actions used from over 140 services to help developers create fine-grained policies based on their AWS CloudTrail access activity. New additions include actions from services such as AWS CloudFormation, Amazon DynamoDB, and Amazon Simple Queue Service. When developers request a policy, IAM Access Analyzer gets to work and generates a policy by analyzing their AWS CloudTrail logs to identify actions used. For example, developers using AWS CloudFormation to set up resources need to provide CloudFormation permissions to create resources. They can use policy generation to create a fine-grained policy and limit CloudFormation role’s permissions to only those necessary to deploy a given template. The generated policy makes it easier for developers to grant only the required permissions to run their workloads.

You can use IAM Access Analyzer in the commercial regions to generate policies in the IAM console or by using APIs with the AWS Command Line Interface or a programmatic client. Read the documentation to learn more. To get started, you can read this blog on how to use IAM Access Analyzer policy generation.