Trust Issues: What Do All these JSON files actually mean?
David Kerber
fwd:cloudsec North America 2025 · Day 1 · Track 2 - Crestone
David Kerber, an AWS consultant and self-described IAM obsessive, presented a suite of open-source tools he built to solve what he calls the fundamental problem of cloud security: **AWS IAM is the most important security control and effectively nobody understands it**. The three tools -- **IAM Simulate** (a from-scratch policy evaluation engine), **IAM Collect** (a policy downloader that captures every policy across an entire AWS organization), and **IAM Lens** (a CLI that combines them for real-time policy analysis) -- enable instant, offline evaluation of IAM request outcomes with detailed explanations of how every policy statement was evaluated. The live demo showed capabilities ranging from debugging why an SCP denied a request to mapping which principals across an entire organization can assume a given role, complete with the specific conditions under which access would be granted.
AI review
David Kerber built what AWS should have shipped years ago: a ground-up IAM policy evaluation engine that runs entirely offline, understands every policy type and cross-account evaluation quirk, and provides line-by-line explanations of how every statement was evaluated. The who-can command alone -- enumerating every principal across an org that can access a resource with the conditions under which access is granted -- is worth more than most commercial IAM tools. This is real engineering applied to a real problem.