JohannesEbke
commented
3 years ago This should run well with arn:aws:iam::aws:policy/ReadOnlyAccess , but probably can run well on more restricted policies. Since it does heuristics and actually knows which APIs it will call, it would probably be quite easy to generate a policy generator. Unfortunately, since it picks up on new APIs on boto3 updates, this policy would get out of date, but for security-conscious setups it might give an edge over ReadOnlyAccess.
Is there a recommendation for a policy with the least rights that can be used to successfully run the script ?