IAM could be way better with some default tools. For all I know they already exist, but I haven't seen anything close in the training or poking around.
Example, even with something as abstruse as SELlinux, you can literally just attempt whatever you're trying to do, and then pipe in the failure log into `fail2allow` and the permissions will be set to least privilege automatically and then it just works in most situations.
You can also pipe in the failure log to the policy advisor and it spits out a bunch of advice in plain text as well as a copy / paste command to implement it.
IAM is horrible if it can take design notes from SELinux.
Example, even with something as abstruse as SELlinux, you can literally just attempt whatever you're trying to do, and then pipe in the failure log into `fail2allow` and the permissions will be set to least privilege automatically and then it just works in most situations.
You can also pipe in the failure log to the policy advisor and it spits out a bunch of advice in plain text as well as a copy / paste command to implement it.
IAM is horrible if it can take design notes from SELinux.