Using AWS X-Ray to achieve Least Privilege Permissions

Run-time monitoring via AWS X-Ray can help with achieving Least Privilege IAM Permissions. We recently released a new tool to monitor X-Ray traces and generate Least Privilege IAM Policies.

Image for post
Image for post
"Action": [
"Resource": "arn:aws:dynamodb:us-east-1:*:*",
"Effect": "Allow"

Enabling AWS X-Ray

npm install --save aws-xray-sdk
import AWS from "aws-sdk";
import XRay from 'aws-xray-sdk';
serverless deploy
Image for post
Image for post
Image for post
Image for post

Scanning X-Ray to achieve Least Privilege

npm install -g aws-least-privilege
$ xray-privilege-scan
Completed running xray scan.
Generated IAM policies based upon xray scan:
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-delete - 0bdcf1c154bddd684294aec1334a9b72.policy.json
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-create - 593020e43d8bf0737daecb471c81b698.policy.json
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-list - 2e166200fc364a6552f5934489b512dc.policy.json
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-update - 711a58cf1c53a4f14d9193a0b8c8fd4d.policy.json
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-get - c577c60d2945d3b7989bd3d538fd0cf5.policy.json
"Effect": "Allow",
"Action": [
"Resource": [

What’s Next

Entrepreneur | Writing code and thinking about security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store