First version caveats:
- Literal action strings only, no wildcard expansion yet
- This is a signal, not a security verdict
- You still need to validate actual risk in your environment
More to come.
I'm also flagging privilege escalation paths. When a policy's explicit Allow actions match a documented escalation path from DataDog's catalog (hat tip to Seth Art and maintainers), you'll see an indicator.
Details of the AWS IAM policy "cognito-idp:AssociateWebACL," including access level, description, and allowed actions.
Dashboard display of IAMTrail, showcasing AWS Managed Policy details, pathfinding integration, and insights on privilege escalation actions.
New week, new feature on IAMTrail.
IAM action context is now built into managed policy views. For each action, you get useful metadata: description, access level, and where it appears. Data comes from iam-dataset by Ian McKay.
Example, removing an allow statement or action?
PS: You are now more than a hundred subscribers to IAMTrail change detection, and I would like to say: Thanks.
It raises concerns about AWS's release management for these critical assets across millions of AWS accounts. In this case, it's not as dramatic since it's a brand-new policy, but what if an unattended change is applied to an existing actively used AWS IAM Managed Policy?
AWS IAM policy details show a managed policy titled "NAPSProgeneratorIntegTestManagedPolicy07," modified yesterday.
Yesterday, AWS inadvertently pushed a test IAM managed policy to production.
It was detected by IAMTrail, and this is one of the reason of buiding this tool.
Annual Fargate savings: $9.07.
Cost of the Cursor + Claude session to build this: probably more than that. But YOLO.
Full breakdown in the blog post. 🔽
Tricky part wasn't the code. It was maintaining byte-level format compatibility with 5 years of git history. One misplaced space would flag every policy as "changed."
Now IAMTrail scans hourly instead of every 4 hours. Faster detection, smaller Fargate task (0.25 vCPU / 0.5 GiB).
Replaced it with a single boto3 session using ThreadPoolExecutor. 32 threads, one connection pool, same data.
Result: 2min 20sec. 20x faster.
Comparison of task performance between Bash and Python, highlighting duration, speedup, format match, and error rates.
IAMTrail was taking 46 minutes to scan 1,500 AWS managed policies.
The culprit: spawning 1,500 separate AWS CLI processes. Each one boots Python, loads boto3, makes one HTTP call, then exits.
PS: It's free and OpenSource. Please don't tell AWS =)
Cheers,
You will be able to follow GuardDuty's new findings, updated findings, new features, and region expansion. All in the same place as AWS Managed Policies changes, AWS Endpoint Updates, and Well-Known AccountID Lookup.
All of these changes are available in the email subscription feature.
Did you know that AWS publishes SNS notifications when changes occur on Amazon GuardDuty?
I've been monitoring and archiving this for 4+ years, and it's now available on IAMTrail.
Go a little bit out of your depth. And when you don't feel that your feet are quite touching the bottom, you're just about in the right place to do something exciting."
"If you feel safe in the area that you're working in, you're not working in the right area. Always go a little further in the water than you feel you're capable of being in.
Since then, I’ve been working in AWS Infrastructure and Security. Fell in love with it.
I don't know (yet) what the next eye-opening moment would be.
Today, I was listening to the Lex Fridman podcast with Jeff Kaplan, and this quote from David Bowie resonates with me a lot:
Everything began with this eye-opening moment at an AWSomeDay in Paris (Feb. 24, 2017). I was doing traditional System Engineering at that time, ordering and racking servers, dealing with networking cables, switches, and routers.
Terminal output displays system uptime and duration details, showing calculations from an initial timestamp. Current date noted as March 24, 2026.
Lately, I've realized that I've been working in the AWS space for nearly 10 years.
I've been collecting this data for 4+ years, so the full history is already there.
PS: You can also subscribe to these kinds of updates.
Enjoy!
IAMTrail now tracks AWS endpoint changes, sourced directly from the Official botocore AWS repository.
It reveals service expansions, new region launches, and new partitions - often before they're officially announced.
Today, I'm happy to share that this feature is finally available, along with a full product rebrand: IAMTrail.
I have a ton of ideas for what is coming next for this open-source project, and I hope you will enjoy it and find it useful.
Any feedback appreciated. ❤️
Over the years, AWS Security aficionados, Security Researchers, SaaS Founders, and vendors who rely heavily on these AWS Managed policies have asked to subscribe to specific policies and be notified when changes occur.
Since 2019, I've been tracking every AWS Managed Policy change in a Git repository (MAMIP).
In the last few months, I've added:
- A Landing Page with search capabilities, stats
- Known Account Lookup based on the fwdcloudsec dataset
- Results of IAM Access Analyzer on these AWS Policies
But please don’t take the errors too seriously; sometimes they’re normal and expected behaviour from AWS.
Happy to read your feedback on this.
mamip.zoph.io/findings/
Just added a new section to the MAMIP webapp to review findings from AWS IAM Access Analyzer on ALL AWS Managed Policies.
These capabilities can sometimes yield interesting results and may even spoil upcoming AWS capabilities, etc.
Just added a new feature to MAMIP.
You can now search for known AWS accounts from the fwdcloudsec dataset.
Single webapp to look up AWS managed policy history, search known AWS account IDs, and more.
Give it a try.
It detects waste, low-signal assets, zombie infrastructure, incorrect sizing, forgotten volumes, idle load balancers, unused IPs, and more.
Same mission as day one: make cloud waste visible early, and keep AWS accounts under cost control over time.
- Weekly or daily scans in all regions
- AI-generated management reports for decision makers
- AI-Chatbot to discuss with your CSP bill
- A read-only IAM role, no agents, no risk
It no longer just lists resources.
