About IAMTrail
An unofficial archive tracking AWS Managed IAM Policy changes, endpoint updates, and GuardDuty announcements since 2019 - with full version history, diffs, and dedicated RSS feeds.
Why IAMTrail Exists
AWS updates its managed IAM policies constantly - often without any announcement. Security teams, compliance officers, and cloud architects need visibility into these silent changes. ISVs and SaaS founders building on AWS also heavily rely on managed policies for their integrations and need to know immediately when permissions shift under their products.
IAMTrail was started in 2019, inspired by Scott Piper's aws_managed_policies project. What began as an automated fork has grown into a broader observatory of AWS infrastructure changes - covering not just IAM policies but also endpoint expansions, GuardDuty announcements, and AWS account identification.
What We Track
IAM Policy Changes
The original archive. Every AWS managed IAM policy versioned in Git with full diffs, Access Analyzer validation, and optional overlap with documented privilege escalation paths (see Security findings). Spot new service launches early via v1 policies. Literal actions in the policy JSON link to per-action pages that list which other managed policies reference the same string.
Endpoint Changes
Tracks changes to botocore's endpoints.json - new regions, new services, and service expansions. Refreshed every 6 hours.
GuardDuty Announcements
Archives GuardDuty SNS announcements - new findings, feature updates, and region expansions. The successor to the former @mgda_aws feed.
AWS Account Lookup
Identify AWS account owners from an account ID, powered by the fwdcloudsec/known_aws_accounts community dataset. Useful for CloudTrail and trust policy investigations.
Data sources
Privilege escalation path definitions used for action-level overlap on Security findings come from pathfinding.cloud (Apache License 2.0, open source by Datadog). IAMTrail vendors a JSON snapshot under data/pathfinding/.
Per-action reference text on IAMTrail (descriptions, access level, resource types, and related actions where available) is enriched from iam-dataset, an MIT-licensed project by Ian McKay. That dataset structures information from the AWS Service Authorization Reference and powers many tools in the ecosystem (for example iamlive and aws.permissions.cloud). It can lag live AWS documentation and is not an official AWS product.
IAMTrail's own policy archive (Git history, diffs, and validation) is independent. The iam-dataset material is supplementary context on action pages only.
How It Works
Automated Collection
Scheduled tasks fetch AWS managed policies, botocore endpoints, and GuardDuty announcements multiple times per day.
Git Version Control
Every change is committed to Git with full diff history preserved indefinitely. Nothing is ever silently overwritten.
Policy Validation
IAM policies are validated using AWS Access Analyzer to flag security warnings, best practice issues, and redundant statements.
Stay Informed
RSS Feeds
Each data source has its own dedicated feed so you can subscribe to exactly what you care about. See all available feeds on the RSS Feeds page.
Email Digests & Social
Get policy change summaries delivered to your inbox via email digests, or follow along on Bluesky and X.
Credits
The original idea for tracking AWS Managed IAM Policies comes from Scott Piper (SummitRoute), who created the aws_managed_policies repository. IAMTrail builds on that idea with automated infrastructure, continuous monitoring, policy validation, and this web interface.
Created and maintained by zoph.io, an AWS Cloud Advisory Boutique based in France, specializing in cloud security, compliance, and infrastructure automation.
This is an unofficial archive and is not affiliated with, endorsed by, or sponsored by Amazon Web Services (AWS). AWS and related marks are trademarks of Amazon.com, Inc.