IAM
Guides¶
| Link | Notes |
|---|---|
| AWS managed policies | A Managed Policy Reference Guide with 1k+ policies |
| Permissions Reference for AWS IAM | A website built in order to provide an alternate, community-driven source of truth for AWS identity |
| AWS IAM Policy Condition Operators Explained | There are 27 basic condition operators you can use in an AWS IAM policy. Then you can add "ForAllValues" or "ForAnyValue" to the beginning and "IfExists" to the end of almost all of them |
| Effective IAM for AWS: A guide to realize IAM best practices | Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers |
| How to revoke federated users’ active AWS sessions | How to revoke access to specific users’ sessions on AWS assumed roles through the use of AWS IAM policies and SCPs |
| The state of ABAC on AWS | SummitRoute describes the limitations of AWS related to tagging and the steps AWS needs to take to improve this situation |
| AWS Access Key ID formats | Post explaining the encoding for most AWS access key IDs |
| The many ways to obtain credentials in AWS | Post exploring how AWS services provide IAM credentials, and teaching key risks and detection strategies to secure your cloud environment against credential misuse |
| How does Sendbird secure AWS? | How Sendbird matured its AWS security posture, empowering developers to deploy in a way that's both user-friendly and secure |
| A new type of long-lived key on AWS: Bedrock API keys | AWS has introduced a new type of long-lived key called Bedrock API keys, which are used for authenticating applications. These keys are created through the IAM API and can have an expiration time set, but there's no way to enforce this via IAM policy conditions |
| Simplify access to external services using AWS IAM Outbound Identity Federation | AWS IAM now enables outbound identity federation, allowing developers to securely authenticate AWS workloads with external services using short-lived JSON Web Tokens instead of storing long-term credentials like API keys and passwords |
Designing¶
| Link | Notes |
|---|---|
| Managing temporary elevated access to your AWS environment | Post discussing temporary elevated access and how it can mitigate risks relating to human access to your AWS environment |
| Refining IAM Permissions Like A Pro | How to detect unused IAM permissions and update them to move safely toward a least privilege environment |
| AWS IAM: A Comprehensive Guide Toward Least Privilege | Some AWS mechanisms we can use to achieve more robust permissions on AWS: Organizations, SCPs, IAM Access Analyzer, permission boundaries, and more |
| Implementing Security Invariants in an AWS Management Account | Chris Farris discusses the implementation of security invariants within an AWS management account, specifically the payer account where organizational policies do not apply |
| sensitive_iam_actions | Crowdsourced list of sensitive IAM Actions |
| Overhauling AWS account access with Terraform, Granted, and GitOps | Duckbill breaks down their method of accessing thousands of client AWS accounts in a way that preserves ease-of-access, maintains data confidentiality, and still providing all the permissions needed |
| Enforcing Least Privilege in AWS IAM with Access Analyzer and Last Access Data | A practical guide on enforcing least privilege in AWS IAM by using IAM Access Analyzer and service Last Accessed data. Includes real workflows, auditing strategies, and automation tips |
| Strategies for achieving least privilege at scale | Nine strategies for achieving least privilege at scale: Part 1, Part 2 |
| CIEM | |
| Secure AWS credentials | |
| Cross-account role trust policies should trust AWS accounts, not roles | A role trust policy that trusts a specific principal suggests that only that source principal has access to it, but it does not control access to that source principal, and so makes it seem like it limits access when it may not |
Root Principal¶
| Link | Notes |
|---|---|
| Summit Route Managing AWS root passwords and MFA | How not use the root user account, and how to manage the credentials (password and MFA) for the root user effectively |
| Security Implication of Root principal in AWS | An interesting way of abusing the AWS KMS for data exfiltration in restricted VPCs |
| Hands-On Security Tips For Centralize Root Access In AWS | AWS has recently introduced a centralized root access management feature for AWS Organizations. This blog covers why this is important, how it changes root access management, and tips for how to handle this new feature |
| Secure root user access for member accounts in AWS Organizations | How you can centrally manage root credentials and perform tasks that previously required root credentials across member accounts in your organization |
| Exploring AWS STS AssumeRoot | A post from the Elastic team exploring AWS STS AssumeRoot, its risks, detection strategies, and practical scenarios to secure against privilege escalation and account compromise |
Audit¶
| Link | Notes |
|---|---|
| Summit Route How to audit AWS IAM and resource policies |
|
| Top ten AWS identity health checks to improve security in the cloud | Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes |
| Detect Console Actions |
|
| Detecting Manual AWS Actions: An Update! |
|
| Root in prod: The most important security analysis you will never do on your AWS accounts | This article outlines steps for identifying AWS accounts, determining which ones are truly production, and analyzing access levels, including finding users and roles with AdministratorAccess |
Cedar¶
| Link | Notes |
|---|---|
| How we designed Cedar to be intuitive to use, fast, and safe | A deep dive into the design of Cedar, an open source language for writing and evaluating authorization policies |
| cedar-flask-demo | A demo to show how you can use Cedar in Python, with a simple Flask based web application |
| Manage roles and entitlements with PBAC using Amazon Verified Permissions | Post covering roles and entitlements, how they are applicable in apps authorization decisions, how customers implement roles and authorization in their app today, and how to shift to a centralized PBAC model by using Verified Permissions |
| Build an entitlement service for business applications using Amazon Verified Permissions | A comprehensive and centralized approach to managing access policies, reducing administrative overhead, and empowering line-of-business users to define, administer, and enforce application entitlement policies |
| SaaS access control using Amazon Verified Permissions with a per-tenant policy store | How you can use Amazon Verified Permissions for access control in a multi-tenant document management SaaS application using a per-tenant policy store approach |
Federation¶
GSuite¶
| Link | Notes |
|---|---|
| Configure SAML and SCIM with Google Workspace and IAM Identity Center | How to set up Google Workspace as an external identity provider (IdP) for AWS IAM Identity Center |
| Leveraging AWS SSO with Google Workspaces | A Better way to configure AWS Identity Center to use Google Workspace/Cloud Identity with SCIM Support |