Generate policies based on access activity - AWS Identity and Access Management

Generate policies based on access activity

As an administrator or developer, you might grant permissions to IAM entities (users or roles) beyond what they require. IAM provides several options to help you refine the permissions that you grant. One option is to generate an IAM policy that is based on access activity for an entity. IAM Access Analyzer reviews your AWS CloudTrail logs and generates a policy template that contains the permissions that the entity used in your specified date range. You can use the template to create a policy with fine-grained permissions that grant only the permissions that are required to support your specific use case.

For example, imagine that you are a developer and your engineering team has been working on a project to create a new application. To encourage experimentation and enable your team to move fast, you’ve configured a role with broad permissions while the application is in development. Now the application is ready for production. Before the application can launch in the production account, you want to identify only the permissions that the role needs for the application to function. This helps you to adhere to the best practice of granting least privilege. You can generate a policy based on the access activity of the role that you have been using for the application in the development account. You can further refine the generated policy and then attach the policy to an entity in your production account.

To learn more about IAM Access Analyzer policy generation, see IAM Access Analyzer policy generation.