Identity and access management is proving to be one of the primary challenges in the cloud, at least partly due to the complexity of the systems involved. Nowhere is this more apparent than AWS, which currently tracks over 13,000 unique granular permissions and at least 7 methods to approve or deny a particular action. Maintaining an accurate picture of who can really do what is challenging at best when combined with role assumption and the scale of some cloud estates, reaching hundreds or thousands of AWS accounts.

This talk demonstrates IAMSpy, a new policy analysis engine designed to operate offline against large AWS organizations, and built on the same underlying technology powering AWS IAM Access Analyser. IAMSpy uses an SMT solver to formally prove whether an action by a given IAM entity is possible against a particular resource. SMT solvers resolve whether a given mathematical formula (in our case, the set of conditions that make up an account’s IAM configuration) is true for any set of input variables. This can then be used to resolve actions across entire organizations. The speakers will talk through several existing use cases and how to leverage it in your own projects, and discuss future directions for the tooling and technology.