What would you ask a crystal ball for AWS IAM?
Nick Siow
fwd:cloudsec North America 2025 · Day 2 · Track 1 - Crystal
Nick Siow from Netflix's cloud security team presented the journey from a failed enterprise metrics initiative to the creation of **Yams**, a newly open-sourced IAM simulation engine designed to answer the questions that existing tools cannot handle at massive scale. Born from the frustrating realization that Netflix's AWS environment — with over 100,000 IAM roles and equally numerous resources — was simply too large and complex for existing IAM analysis tools, Yams provides a Go-based library, server, and CLI that can load an entire enterprise IAM environment, simulate access decisions across billions of permission combinations, and deliver answers in seconds rather than hours. The tool was open-sourced the day of the talk.
AI review
Open-sourced IAM simulation engine that actually works at scale, with full policy evaluation including ABAC, SCPs, RCPs, resource policies, permission boundaries, and cross-account trust. The overlay feature for previewing SCP changes before deployment is genuinely novel and solves a problem that has caused real production incidents. This is the kind of tool that should have come from AWS but didn't.