Automatic Least Privilege in AWS

Least privilege is a ubiquitous concept in security, but applying it is easier said than done. Permissions are complicated and tuning them doesn't rate high on most developers' task list. Least privilege is also a moving target, it should adjust as application scope changes, but this typically requires manual review.

Fortunately there is a better way. AWS provides a wealth of data that can be used to reason about true least privilege policies. By using this data, the security team at Netflix creates rightsized policies automatically. This talk discusses the challenges of applying least privilege and the processes and open-source tool we used to overcome them. 

Resources mentioned in this session:


Repokid open source is available at:

PS: Netflix is hiring

Ep. #28, Developer Empathy with Jason Chan of Netflix

Travis McPeak

Travis works at Netflix on the Cloud Security team where he enjoys building automation that increases security while simultaneously boosting developer productivity. Travis is a core developer of the Bandit and Repokid open source projects and has presented at security conferences including BlackHat USA, Enigma, and re:Invent. He currently serves as the Bay Area OWASP Chapter Lead, a security advisor for startups, and a mentor for people looking to get in to security.

Find Travis on twitter


The MyDevSecOps community is powered by Snyk Ltd. Our aim is to create a vendor-neutral space to share knowledge and best practices related to software security.

  • White Twitter Icon
  • White YouTube Icon