We need a guide about IAM policy generation. It should be an umbrella guide with some examples and other guides. One of the guides that it could refer should be - https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html

Got it! I was thinking of describing 4 strategies in the guide based on ppl’s security sensitivity: 1. AdministratorAccess - use this strategy if you have ur own AWS account for development. 2.

[logs:*, lambda:*, iam:*, api-gateway:*, sns:*, …]

actions on

*

resources - use this strategy if you have ur own AWS account for development and don’t want to mistakenly create irrelevant resources (ie. EC2, RDS, NAT Gateway, etc) 3. Grant relaxed permissions upfront, and use the Access Analyzer to narrow down the policy. 4. Move the policies to a separate IAM role for CloudFormation to assume. You can pass that role to SST CLI via

--role-arn

This sounds as a great start, I’ll point anything else that comes to mind. Thank you.

Awesome! Let me put something together