Communications of the ACM has a new article titled “The End of Programming” by Matt Welsh. It posits that traditional programs “will be replaced by AI systems that are trained rather than programmed” (emphasis in the original). Welsh is “the CEO and co-founder of Fixie.ai, …

Permissions boundaries are great in concept: an administrator can place restrictions on what IAM principals can possibly do, while letting developers determine the actual least privilege policy that principals should have — and this includes the principal for the developers themselves. …

I’ve gotten some responses to my article where I argue that cross-account role trust policies should trust accounts, not principals within the accounts. A lot of them took the form of “it provides an extra layer of defense” along with “it can’t hurt”. …

In my article on IAM principals, I mentioned that when creating a cross-account role trust policy, it’s generally better to trust the entire account, rather than a particular principal within that account. I got some questions on why, so here are the details! Note: there’s a follow-up to this article…

We need to talk about how AWS credential configuration works. Many people have more than one IAM principal that they use on a regular basis, most likely because of multiple accounts, though they may also have multiple principals available to them within a given account. The ways I see a…

AWS IAM Permission Boundaries Has A Caveat That May Surprise You Note: this article was originally published on September 1, 2021. It erroneously stated that the resource policy could reference the role, rather than the assumed role session. I removed it pending an update. The confusion, complexity, and poor documentation led me to publish I Trust AWS IAM to Secure My…

AWS IAM operates at an immense scale, more than 400 million operations per second, and the stakes are frankly terrifying; a substantial portion of the internet runs on AWS, and access to those resources is regulated by IAM. I’m therefore glad that the people who design and run IAM are…

Note: this article uses the boto3, the AWS Python SDK, as an example, but other SDKs have analogous features. I’ve found that newcomers to AWS can sometimes get confused by what it means to have AWS credentials, and that people have notions of “logging into AWS” that don’t really correspond…

You’re writing some Python, and you need to write out a string containing newlines. You’ve got two options: a regular string with \n in it, or a multi-line string literal using three double quotes (are those sextuple quotes?), which looks like this: my_string = """This is a multi-line string""" assert…