My daily job is to update IAM roles (about 4k roles) and customer managed IAM policies (about 10k policies). The IAM policies definitions are stored in terraform code. To avoid mistakes in roles and policies updates, I wish there would be something like regression testing framework for IAM roles/policies documents which I can run 50-100 times a day while developing new version of policy documents in terraform. Main issue is the lack of confidence in new IAM policies versions and potential service availability impact in case of IAM permissions regression.
Has someone encountered similar problem and how did you address it?
NOTE: This is a cross post from [1] to reach wider audience.
[1]
I asked similar question at aws topical forum. I expect wider readership and range of answers.
I've got very useful answer at aws:rePost. Apparently AWS provides policy simulation tool, which I believe may be suitable for my purpose.