The solution that the OP says they want in the article is akin to how cloudknox (whatever it's called now and there are others) handles permissions in the big three providers.
It ingests log data and permission/role assignments then reconciles them to then allow you to create custom roles that only have the permissions that someone actually uses.
The sector of tools is called CIEM. Cloud Infrastructure Entitlement Management.
Here's the thing though...PA and MS charge PER MANAGED RESOURCE. It's crazy. This is something that should be core capability, but its an added charge. Its a space that is screaming for open source tooling to make it less rent-seek-ish.
It ingests log data and permission/role assignments then reconciles them to then allow you to create custom roles that only have the permissions that someone actually uses.
MS bought them and calls it permissions management: https://learn.microsoft.com/en-us/entra/permissions-manageme...
Palo Alto has a tool called PRISMA. https://www.paloaltonetworks.com/prisma/cloud/cloud-infrastr...
The sector of tools is called CIEM. Cloud Infrastructure Entitlement Management.
Here's the thing though...PA and MS charge PER MANAGED RESOURCE. It's crazy. This is something that should be core capability, but its an added charge. Its a space that is screaming for open source tooling to make it less rent-seek-ish.