Back to list

AWS IAM permission model is fundamentally broken for security requirements

9/10 Critical

AWS IAM's core design prioritizes deterministic permission evaluation over security usability, resulting in a system where CRUD-style permissions cannot be implemented auditably. The architecture uses low-level API action lists with boolean logic complexity ('deny sandwich'), strict character limits forcing wildcard usage, and unpredictable new actions added without warning, making it impossible to implement basic security expectations.

AWS IAMAWS
Category
security
Workaround
none
Stage
build
Freshness
persistent
Scope
single_lib
Upstream
wontfix
Recurring
Yes
Buyer Type
enterprise
Maintainer
slow

Sources

Collection History

Query: “What are the most common pain points with AWS for developers in 2025?3/29/2026

The real problem is twofold. Firstly, the AWS APIs are all random SOAP-style verbs instead of REST... Secondly, the chief design requirement of IAM is performantly deterministic permission evaluation, not actual security or usability... anyone used to sane CRUD permissions has to relearn everything and then discover that their basic security expectations and requirements are impossible to implement in any auditable way

Created: 3/29/2026Updated: 3/29/2026