https://aws.permissions.cloud/api/s3-outposts#S3Control_CreateAccessPoint

I am not sure what is the expected rendering of ARN template, but it appears that /accesspoint/Name is unexpectedly added after /g (RegExp global flag) 🤔

source: "%%regex%${Bucket}%/^arn:aws:s3-outposts:.+?:.+?:outpost\\/(.+?)\\//g%%"
rendered:                    /^arn:aws:s3-outposts:.+?:.+?:outpost\/(.+?)\//g/accesspoint/Name
                                                                             ^^^^^^^^^^^^^^^^^

have used DataTables to sort before, looks like it's already in lib/

Hello, Ian,

Thanks so much for putting this project together. I think this and your other IAM data projects are fantastic.

For a while, though, I thought permissions.cloud was just a list of the permissions/actions we know about and that it didn't display the mappings between permissions/actions. But turns out that's just because of some kind of display bug I'm experiencing.

The tables' display area is so small that I can't see any of the useful columns unless I go all the way to the bottom and scroll right with a tiny horizontal scroll bar.

My resolution is 2560x1440.

I'll help out with this if you don't get to it first. Thanks.

Nit: https://permissions.cloud/iam/apigateway - the IAM Actions count shows up as 9 for API Gateway, but there is only one listed.

Similar to: https://bigorange.cloud/actions/
Code: https://github.com/rowanu/boc-effective

Sample Input:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:get*",
            "Resource": "*"
        }
    ]
}

ACTION | BASED ON | ACCESS LEVEL
-- | -- | --
s3:GetAccelerateConfiguration | s3:Get* | Read
s3:GetAccessPoint | s3:Get* | Read
s3:GetAccessPointConfigurationForObjectLambda | s3:Get* | Read
s3:GetAccessPointForObjectLambda | s3:Get* | Read
s3:GetAccessPointPolicy | s3:Get* | Read
s3:GetAccessPointPolicyForObjectLambda | s3:Get* | Read
s3:GetAccessPointPolicyStatus | s3:Get* | Read
s3:GetAccessPointPolicyStatusForObjectLambda | s3:Get* | Read
s3:GetAccountPublicAccessBlock | s3:Get* | Read
s3:GetAnalyticsConfiguration | s3:Get* | Read
s3:GetBucketAcl | s3:Get* | Read
s3:GetBucketCORS | s3:Get* | Read
s3:GetBucketLocation | s3:Get* | Read
s3:GetBucketLogging | s3:Get* | Read
s3:GetBucketNotification | s3:Get* | Read
s3:GetBucketObjectLockConfiguration | s3:Get* | Read
s3:GetBucketOwnershipControls | s3:Get* | Read
s3:GetBucketPolicy | s3:Get* | Read
s3:GetBucketPolicyStatus | s3:Get* | Read
s3:GetBucketPublicAccessBlock | s3:Get* | Read
s3:GetBucketRequestPayment | s3:Get* | Read
s3:GetBucketTagging | s3:Get* | Read
s3:GetBucketVersioning | s3:Get* | Read
s3:GetBucketWebsite | s3:Get* | Read
s3:GetEncryptionConfiguration | s3:Get* | Read
s3:GetIntelligentTieringConfiguration | s3:Get* | Read
s3:GetInventoryConfiguration | s3:Get* | Read
s3:GetJobTagging | s3:Get* | Read
s3:GetLifecycleConfiguration | s3:Get* | Read
s3:GetMetricsConfiguration | s3:Get* | Read
s3:GetMultiRegionAccessPoint | s3:Get* | Read
s3:GetMultiRegionAccessPointPolicy | s3:Get* | Read
s3:GetMultiRegionAccessPointPolicyStatus | s3:Get* | Read
s3:GetObject | s3:Get* | Read
s3:GetObjectAcl | s3:Get* | Read
s3:GetObjectLegalHold | s3:Get* | Read
s3:GetObjectRetention | s3:Get* | Read
s3:GetObjectTagging | s3:Get* | Read
s3:GetObjectTorrent | s3:Get* | Read
s3:GetObjectVersion | s3:Get* | Read
s3:GetObjectVersionAcl | s3:Get* | Read
s3:GetObjectVersionForReplication | s3:Get* | Read
s3:GetObjectVersionTagging | s3:Get* | Read
s3:GetObjectVersionTorrent | s3:Get* | Read
s3:GetReplicationConfiguration | s3:Get* | Read
s3:GetStorageLensConfiguration | s3:Get* | Read
s3:GetStorageLensConfigurationTagging | s3:Get* | Read
s3:GetStorageLensDashboard | s3:Get* | Read

I may need to understand the implementation you have but seems you pre-populate managed policy to the table here. Any inputs?

https://raw.githubusercontent.com/iann0036/iam-dataset/main/managed_policies.json

It appears that Amazon CloudFront is used to serve https://aws.permissions.cloud/

I've noticed that your text files (JSON/JS/CSS) are returned in a plain format, instead of one in a compressed format (GZIP or Brotli).
Enabling compression will speed up network download and save your bandwidth == AWS payment 💵

This is a super useful tool and I've started linking colleagues to this rather than AWS' own IAM docs as it looks much clearer plus has the benefit of listing managed IAM policies without them needing to log into the AWS console to view.

One thing that would be useful for me would be to be able to search all managed policies for a specific permission. Right now I go to the source repo and search via GitHub (eg like this) but it would be a nicer user experience if you could go from eg this link and then click into a permission to see managed policies containing the effective action.

Probably due to their sharing an IAM prefix (cloudformation), the actions for Cloud Control API and CloudFormation are both merged under the service name "Cloud Control API" in aws.permissions.cloud.

This could be an issue with the underlying dataset: https://github.com/iann0036/iam-dataset, but I'm not sure.

Note that Cloud Control API actions (e.g. CreateResource) and CloudFormation actions (e.g. CancelUpdateStack) show up on the below page and that no CloudFormation service is listed:

Impact: hard to find CloudFormation actions without using the search functionality and can be confusing.

I have a policy that includes a statement similar to this:

        {
            "Resource": [
                "arn:aws:lambda:us-west-2:012345678901:function:MyFunctionName*"
            ],
            "NotAction": [
                "lambda:Invoke*"
            ],
            "Effect": "Allow"
        }

This policy is intended to grant access to my CI/CD pipeline to make changes to the function, but not to execute the function. When evaluating this policy I get 10K plus lines of permissions, which are mostly inaccurate due to the resource restriction. Ideally the evaluation would identify the limited resource and only show permissions that can be included. I'd even consider it a huge improvement if it just limited the results by the service(s) of the resource arn(s).