My take on "How AWS needs to change"

Chris Farris's "How AWS needs to change" article is a very sensible list of problems AWS imposes on developers. The whole list is very condensed, so I'm just adding my pain points here. The article is: https://www.chrisfarris.com/post/aws-call-to-action/

Stop launching new services without CloudFormation Support.

Yes, please. It's maddening to see that self-conglaturatory news post saying "today we've added CloudFormation support to X". How is something considered "done" without that?

CloudTrail data events should be free

Oh yeah, and also make it easy to react to events. I've written about my woes here: https://advancedweb.hu/cloudtrails-horrible-developer-experience/

If ABAC is going to be your “best practice”, then all services - especially core services - must support it.

Yes. If ABAC is supported, it should be 100% supported and consistently across services. It's the worst developer experience to see "X is supported" but then realize that for that particular use-case it's not.

Add new IAM Effects: Audit-Allow and Audit-Deny. Let us see what an SCP/RCP would do before we apply it in production.

Oh, that's a very nice idea, being able to audit the policies before switching them to enforce mode.

All IAM Actions are logged - no hidden usage of access keys.

Also, I'd really, really like to have a debugger for IAM. The condition keys are documented in a huge table, but they are defined or not defined based on circumstances. I've spent countless hours trying to figure out what I can use in a given policy because there is zero observability available. Add a log that shows the Principal, the Resource, the Action, and all available condition keys with their values.

Maybe it’s time for new services not to be callable by IAM Users.

This is one that I don't agree with. Keep complexity low: IAM Users shouldn't magically work in some other way than other keys.