all. I am looking to find some information on IAM best practices or some whitepapers/patterns (or even tools if there any) to help me refactor my IAM policies for all my services. Are there any whitepaper/patterns/examples or tools that you have found have been beneficial in restructuring IAM policies, roles, and groups as your AWS resource "stacks" for different applications has grown?
The biggest problem im facing is that I have a lot of overlap in policies and im finding it difficult to easily write policies such that they are resuable in a few different situations where the policies only differ slightly. For example, I may have an application stack that has a bunch of AWS resources and I need to define policies for admins that are more broad than regular engineers (who may not have delete/modify permissions to some resources), while CI/infra automation may need more broad access to provision the stack, and the stack service itself may need access to a smaller subset of resources in order to run. The problem is that as ive added more stacks, the policies have become largely duplicated and theres no clear/easy way to reduce this duplication.
