@hazelweakly Strongest of agreement…I would pay for the CloudTrail -> IAM POLA statement button. So many AWS blog posts use overly broad scopes (* is not a policy, it's a bypass) while others rightly point to how important it is to design for security.