Skip to content

Minimization

This document explains the approach in the file titled policy_sentry/shared/minimize.py, which is heavily borrowed from Netflix's policyuniverse

IAM Policies have character limits, which apply to individual policies, and there are also limits on the total aggregate policy sizes. As such, it is not possible to use exhaustive list of explicit IAM actions. To have granular control of specific IAM policies, we must use wildcards on IAM Actions, only in a programmatic manner.

This is typically performed by humans by reducing policies to s3:Get*, ec2:Describe*, and other approaches of the sort.

Netflix's PolicyUniverse1 has addressed this problem using a few functions that we borrowed directly, and slightly modified. All of these functions are inside the aforementioned minimize.py file, and are also listed below:

We modified the functions, in short, because of how we source our list of IAM actions. Policyuniverse leverages a file titled data.json, which appears to be a manually altered version of the policies.js file included as part of the AWS Policy Generator website. However, that page is not updated as frequently. It also does not include the same details that we get from the Actions, Resources, and Condition Keys for AWS Services, like the Dependent Actions Field, service-specific conditions, and most importantly the multiple ARN format types that can apply to any particular IAM Action.

See the AWS IAM FAQ page for supporting details on IAM Size. For your convenience, the relevant text is clipped below.