> And the CEO wrote it like that originally because he didn't want to mess with IAM. I can see why he did it, but man was that a bad idea.
This is a very common case. It's okay in the very early development (rarely we start projects with a definition of IAM policies), but then it gets shoved into backlog forever.
There’s a pattern I see (and indeed have even perpetuated once or twice) of “AWSguide based development” where someone copy pasted the default policy/roles directly from a guide into AWS CLI commands and just forgot about them after. Not as bad as the root credentials being used but certainly doesn’t help maintain a sane and understandable access system.
I know it’s a lot of extra maintenance effort and probably more difficult but AWS could go a long way towards making this more sane and transparent by giving gitops examples alongside their CLI ones. Even someone just copy pasting terraform or cloud formation is going to be way more visible than AWS CLI
I'm not sure how it is ever ok to put your _root_ credentials into version control? I am not even comfortably doing that with my personal private repositories that I share with nobody.
This is a very common case. It's okay in the very early development (rarely we start projects with a definition of IAM policies), but then it gets shoved into backlog forever.