I am trying Pulumi and going through the tutorial to deploy a static website on AWS.
https://www.pulumi.com/docs/iac/get-started/aws/
There is no mention of the permissions to give via IAM (currently 945 available). I don't want to open up my access, so how do I determine what permissions to use with any particular project on AWS w/Pulumi?
Usually, I start with broad permissions, by using either AWS-managed policies, like AmazonS3FullAccess, AmazonEC2FullAccess, or by specifying s3:*, ec2:*, etc. I go through the IaC template and make a best guess based on the resources that will be created.
The AWS Console's policy editor is also pretty useful when it comes to selecting permissions.
Then, I use iamlive or IAM Access Analyzer policy generation to generate a least-privileged policy based on the API calls that the user or role has made.
Note that you need to enable CloudTrail first before you start using the user/role in order to log their API calls and to let IAM Access Analyzer use it.