No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Ok answered my own question, not as magical as I thought - looks like lambda and ecs just get very open policies assigned to them.

Yes - by default. You can customize the default roles via configuration variables.  With the Lambda support in the `awsx` package, you can easily customize roles on a per-function basis as well. 

Thanks Luke, yeah I'm going with the awsx/aws packages for now.  Are there any plans for pulumi cloud to "intelligently" apply the minimum required permissions based on how components are being used together?

I can’t find the issue right now - but we have looked into computing minimum permissions based on captures references to specific resources. This should be possible, though you would often need to augment if you are also accessing things defined outside of Pulumi. If you want to open an issue to track, I’ll add some notes on how we’ve thought about doing this. 

<https://github.com/pulumi/pulumi-cloud/issues/722>