I cleaned up 91 IAM roles in AWS by spending 2 hours
And made the app infrastructure leaner
Hey there 👋 - Amrut here!
Happy Sunday to all working hard towards meta-skills mastery!
In today’s newsletter, I will focus on why periodic resource management is essential while managing your Cloud infrastructure.
I will be diving into the following:
the problem I encountered
how I discovered the root cause
and the approach I took to resolve the issue
Let’s dive in!
The Problem
I recently ran into an issue where the number of IAM roles exceeded the limit of 1000 per account set by AWS.
Be default, AWS sets an IAM roles limit of 1000 per account. The limit can be increased to 5000 upon request.
The easiest route could have been just requesting the AWS support team to increase the limit. However, I decided to dig deeper to figure out what was causing this.
Root Cause Analysis
Upon investigation, I figured out each AWS Codepipeline created within the account created a default autogenerated IAM role.
All the IAM role did was attach a default permissions policy to start the pipeline execution.
We are talking 91 roles for 91 pipelines here.
Each pipeline was tied to a specific deployment environment (dev, demo, staging, sandbox) for multiple apps.
These pipelines were triggered whenever someone pushed code to a code commit repository on different branches.
There was a better way needed.
The Solution
I created an EventBridge rule to listen for events that track code changes on the CodeCommit repositories.
The target of this rule was a Lambda function.
This function looked at the difference between commits on the respective repositories.
If there was a code change, this Lambda will trigger the code pipeline based on which branch code was pushed to.
For example, pushing code to dev branch will trigger the dev codepipeline.
This way I could clean up 91 IAM roles by spending 2 hours setting up EventBridge and writing a Lambda function that did the same job.
Key takeaways
While managing AWS accounts with large cloud resources, it is essential to do a periodic review of your account. At times, you will often find resources that were created for prototyping or which are no longer needed.
And, at times, you will run into issues like the one I discussed in this letter, forcing you to think deeply and reevaluate your infrastructure.
Either way, you would rather not manage an extra resource you don’t need.
2 Tweets of the week
P.S.
I have been away from writing weekly newsletters for the last 4 weeks as I have been involved with moving to a new location. The time and effort it takes to relocate is not easy. No wonder people complain about moves being stressful.
However, things have settled down, and I will resume publishing awesome content every week.
Thank you for being a subscriber and sticking around. Highly appreciate your support!
Whenever you’re ready, there are 3 ways I can help you:
Are you thinking about getting certified as a Google Cloud Digital Leader? Here’s a link to my Udemy course, which has helped 425+ students prepare and pass the exam. Currently, rated 4.89/5. (link)
I have also published a book to help you prepare and pass the Google Cloud Digital Leader exam. You can check it out on Amazon. (link)
Course Recommendation: AWS Courses by Adrian Cantrill (Certified + Job Ready):
AWS Solutions Architect Associate (link)
AWS Developer Associate: (link)
ALL THE THINGS Bundle: (link)
Note: These are affiliate links. That means I get paid a small commission with no additional cost to you. It also helps support this newsletter. 😃
Thank you for investing your time in reading this post.🙏
I'm always looking for topics that resonate with my audience. If there's a specific subject you'd like to know more about or discuss, I welcome you to reply right here.
Please know that each message I receive is read and valued.
Your feedback matters! I genuinely appreciate your thoughts on this issue. Your comments, praise, criticism, and suggestions all play a pivotal role in shaping my content.
Together, we can make this a fruitful and enjoyable exploration of knowledge.
And, if you found value in this newsletter issue and think others might too, it would mean the world to me if you could take a few moments to share it with your loved ones, colleagues, friends, or anyone who might benefit.
Let's keep the conversation going, keep learning, and amplify the power of shared knowledge!