AWS IAM Awards: the best (and the worst) AWS Services

To celebrate another AWS Re:Invent, we are launching the IAM awards for AWS service teams, namely:

  • “Our TPM is AWSome” award
  • “My first DeepRacer model” award
  • “We walk the talk” award
  • “BuT dEpENDenCIeS” award
  • “I like to spoil the surprise” award

As you will see, those awards can be acted upon. So we won’t be talking about API Gateway (doing its own thing, whatever it is) or Neptune + DocumentDB (using the rds namespace, because why bother).

We will be focusing on IAM SAR. See, each AWS service documents its IAM permissions in the IAM Service Authorization Reference (or SAR). Like many, we are using the IAM SAR to help our customers (doing things like Amazon S3 ThreatModel), and many AWS customers are using SAR directly via community automation (policy_sentry, parliament, permissions.cloud, trackiam, or our very own awsiamchanges.com).

AWS Service teams generally do a good job updating their IAM SAR page at each release: 69% get it done in less than 7 days. But some don’t (and poorly), and we hope that an AWS exec will see this and starts to ask questions like:

  • “can we launch IAM updates consistently?”
  • “can we update the IAM policy generator at the same time?”
  • leading to “how can we have an API already?”

The response should include “available to the public” (please).

The fastest services to update IAM SAR — "Our TPM is AWSome" award

The “Our TPM is AWSome” award is for the high-velocity IAM SAR delivery, based on the average of the amounts of times the API releases have taken per service in the past year:

  • Winner: Transcribe, with the average time-to-update, is a lightning fast 3 hours and 26 minutes.
  • Runner Up: DataExchange, with the average time-to-update of 14 hours and 54 minutes.
#ServicesAverageNumber of releases
1transcribe3 hours, 26 minutes10
2dataexchange14 hours, 54 minutes3
3codebuild1 day, 4 hours, 55 minutes5
4workmail1 day, 5 hours, 37 minutes2
5nimble1 day, 5 hours, 40 minutes3
6redshift-data1 day, 6 hours, 8 minutes2
7imagebuilder1 day, 9 hours, 27 minutes2
8backup1 day, 10 hours, 5 minutes5
9frauddetector1 day, 19 hours, 17 minutes5
10kms1 day, 21 hours, 30 minutes3

The worst services to update IAM SAR — "My first DeepRacer model" award

Remember when I had this idea for my DeepRacer model, that sounded amazing (especially in the after-hours of Re:Invent). And then my hopes were crushed. The following award-winning services seem to be in the wall as well:

#ServicesAverageNumber of releases
94mediapackage107 days, 12 hours, 34 minutes2
93medialive102 days, 14 hours, 46 minutes6
92codepipeline102 days, 8 hours, 35 minutes3
91datasync97 days, 14 hours, 38 minutes5
90iotevents95 days, 16 hours, 16 minutes2
89personalize84 days, 12 hours, 11 minutes2
88appstream58 days, 1 hour, 36 minutes3
87directconnect53 days, 1 hour, 57 minutes2
86snowball50 days, 18 hours, 37 minutes2
85kendra48 days, 3 hours, 42 minutes9
84wafv243 days, 4 hours, 27 minutes10

Special — "We walk the talk" award

A special shout-out to SecurityHub for launching new APIs and IAM actions to remove “master”.

Honorable mention: KMS, for introducing new API parameters + IAM condition by removing the word Customer Master Key. Looking forward to the deprecation notice on the older parameters/conditions!

Special — "BuT dEpENDenCIeS" award

It is almost 2022, and those Services still have non inclusive wording in their APIs, IAM or docs:

  • RDS (Master user)
  • RedShift (Master username)
  • EMR (Master nodes)
  • AWS Control Tower (Master name in the stack)
  • OpenSearch (Master nodes): This 6-month-old issue needs support.
  • Organizations (Master Account): Fixing documentation (poorly) is not enough.

Special "I like to spoil the surprise" award

Congrats to Amazon Inspector V2 (non-Classic) for announcing itself early. Our bet is on Adam talking of “fast innovation, security is priority number 1, and always improving our services”, before dropping the news.

Appendix - Methodology and full list for IAM SAR Awards

This data is a result of a compiled list of API releases, and IAM permissions releases, sorted chronologically. The results start from the best and fastest service teams and going all the way to the service teams missing out on the IAM permissions on time, or still pending. The results exclude the services with only a single release in the past year.

Below is the full list for all AWS services that launch API releases, followed by subsequent IAM release, along with the average of the time taken between those releases:

#ServicesAverageNumber of releases
1transcribe3 hours, 26 minutes10
2dataexchange14 hours, 54 minutes3
3codebuild1 day, 4 hours, 55 minutes5
4workmail1 day, 5 hours, 37 minutes2
5nimble1 day, 5 hours, 40 minutes3
6redshift-data1 day, 6 hours, 8 minutes2
7imagebuilder1 day, 9 hours, 27 minutes2
8backup1 day, 10 hours, 5 minutes5
9frauddetector1 day, 19 hours, 17 minutes5
10kms1 day, 21 hours, 30 minutes3
11chime-sdk-messaging2 days, 49 minutes2
12rds2 days, 1 hour, 55 minutes14
13ecr2 days, 2 hours, 29 minutes3
14rekognition2 days, 5 hours, 36 minutes6
15license-manager2 days, 5 hours, 39 minutes4
16comprehend2 days, 8 hours, 55 minutes8
17amp2 days, 12 hours, 29 minutes3
18servicecatalog2 days, 14 hours, 31 minutes5
19iotwireless2 days, 14 hours, 53 minutes3
20fsx2 days, 16 hours, 49 minutes8
21s3control2 days, 17 hours, 27 minutes6
22kafka2 days, 20 hours, 42 minutes7
23acm-pca3 days, 2 hours, 9 minutes3
24auditmanager3 days, 2 hours, 57 minutes2
25s33 days, 3 hours, 49 minutes10
26proton3 days, 8 hours, 1 minute2
27mediatailor*3 days, 16 hours, 37 minutes4
28globalaccelerator4 days, 34 minutes2
29organizations4 days, 34 minutes2
30sns4 days, 34 minutes2
31logs4 days, 34 minutes2
32guardduty4 days, 34 minutes2
33iam4 days, 34 minutes2
34shield4 days, 34 minutes2
35sts4 days, 34 minutes2
36resourcegroupstaggingapi4 days, 34 minutes2
37apprunner4 days, 34 minutes2
38cloudwatch4 days, 34 minutes3
39dynamodb4 days, 34 minutes3
40sso4 days, 34 minutes3
41secretsmanager4 days, 34 minutes3
42ds*4 days, 34 minutes3
43codeartifact4 days, 34 minutes3
44route534 days, 34 minutes3
45fms4 days, 34 minutes4
46lightsail4 days, 34 minutes4
47config4 days, 34 minutes4
48elbv24 days, 34 minutes4
49devops-guru4 days, 34 minutes4
50managedblockchain4 days, 34 minutes4
51polly4 days, 34 minutes5
52storagegateway4 days, 34 minutes6
53gamelift4 days, 34 minutes6
54ssm4 days, 34 minutes7
55eks4 days, 34 minutes9
56lambda4 days, 34 minutes10
57iot4 days, 10 hours, 22 minutes7
58sagemaker*4 days, 14 hours, 51 minutes28
59securityhub4 days, 16 hours, 19 minutes2
60events5 days, 9 hours, 7 minutes7
61efs5 days, 11 hours, 49 minutes4
62connect5 days, 22 hours, 18 minutes7
63sagemaker-runtime6 days, 2 hours, 10 minutes8
64sesv27 days, 7 hours, 58 minutes2
65route53resolver7 days, 10 hours, 28 minutes5
66redshift8 days, 11 hours, 50 minutes7
67vpc12 days, 22 hours, 25 minutes3
68cloudformation13 days, 2 hours, 40 minutes7
69chime13 days, 13 hours, 29 minutes7
70textract13 days, 18 hours, 36 minutes3
71ec214 days, 7 hours, 19 minutes36
72cloudfront14 days, 14 hours, 36 minutes8
73workspaces15 days, 14 hours, 17 minutes6
74mediaconnect16 days, 9 hours, 17 minutes5
75compute-optimizer17 days, 19 hours, 42 minutes4
76mediaconvert18 days, 5 hours, 23 minutes5
77quicksight26 days, 5 hours, 46 minutes6
78emr30 days, 1 hour, 19 minutes3
79servicediscovery30 days, 10 hours, 57 minutes2
80macie231 days, 3 hours, 27 minutes6
81outposts33 days, 3 hours, 8 minutes2
82iotsitewise33 days, 15 hours, 6 minutes7
83autoscaling34 days, 19 hours, 19 minutes10
84wafv243 days, 4 hours, 27 minutes10
85kendra48 days, 3 hours, 42 minutes9
86snowball50 days, 18 hours, 37 minutes2
87directconnect53 days, 1 hour, 57 minutes2
88appstream58 days, 1 hour, 36 minutes3
89personalize84 days, 12 hours, 11 minutes2
90iotevents95 days, 16 hours, 16 minutes2
91datasync97 days, 14 hours, 38 minutes5
92codepipeline102 days, 8 hours, 35 minutes3
93medialive102 days, 14 hours, 46 minutes6
94mediapackage107 days, 12 hours, 34 minutes2

(*) Services with API releases in the past 6 months but no IAM SAR update on the API