Trust Issues: What Do All these JSON files actually mean?

No ratings

Presented at fwd:cloudsec North America 2025 by

David Kerber

As cloud security practitioners, we spend our days wrangling IAM policies—but for all the JSON we manage, it’s still surprisingly hard to answer basic questions like: “Who can access this S3 bucket?” or “What can this role actually do?” Understanding AWS permissions in practice means piecing together policies across services, accounts, organizations, and trust layers. And because those policies are often managed by different teams or scattered across pipelines, it’s difficult to reason about what’s truly possible in a deployed environment. This talk explores a pragmatic approach to verifying effective IAM permissions: simulating what AWS IAM actually allows across all policy layers, and exposing the results in a way that clearly shows who can do what, and why. Rather than replacing pre-deploy linters or policy review processes, this system complements them by analyzing deployed IAM configuration and evaluating real-world access across identities, resources, and trust relationships. Want to know which principals have s3:GetObject access to your prod bucket? Or which external accounts can assume a sensitive role? We’ll show how to answer those questions—quickly, clearly, and without hand-parsing several JSON files. You’ll leave with a new set of tools for understanding how IAM really works in your environment. This session includes a demo and the release of an open-source project built to support these workflows.