I’ve stopped worrying about minimising IAM permissions and tend to just use the built in AWS roles for most things now.

Yes, I do the same. For service roles I just use the PowerUser managed role. I don’t see the need to put access control on Amazon’s ability to call it’s own services. I only restrict my EC2 instance profile, since that’s a bit more vulnerable, and I tend to know very precisely what it should have access to.

What if you have a lambda with a full admin role that is not sanitizing its inputs? Or maybe it's using an outdated file parsing library (csv/yaml) with a vulnerability. Now your entire AWS account could potentially be compromised.

Yes, I would use a restricted role for Lambda too. Anything that gets creds in user space gets restricted permissions: EC2, Lambda, ECS, etc.

Some of the AWS built-in roles are an absolute car crash, no idea how they got through review (EMR is a good example). I use the built-in roles by default, but only after thoroughly reviewing the policies, I create my own based on that if I find anything I don’t like.

It’s not restricting amazon’s access that I’m worried about, more privilege escalation (e.g non-constrained iam:PassRole in combination with anything is a good one)

https://github.com/tilfin/aws-extend-switch-roles/blob/maste... may be interesting to you.

The fact that this has to exist is also interesting...

I'll hate on GCP all day long but the one thing it has going for it is the permissions.

Wow, I was gonna say “haven’t tried IAM on other platforms than GCP but I can’t imagine it being more difficult than this”, but damn ...

night and day imho