Skip to content

IAM

Guides

Link Notes
AWS managed policies A Managed Policy Reference Guide with 1k+ policies
Permissions Reference for AWS IAM A website built in order to provide an alternate, community-driven source of truth for AWS identity
Effective IAM for AWS: A guide to realize IAM best practices Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers
How to revoke federated users’ active AWS sessions How to revoke access to specific users’ sessions on AWS assumed roles through the use of AWS IAM policies and SCPs

Designing

Link Notes
Managing temporary elevated access to your AWS environment Post discussing temporary elevated access and how it can mitigate risks relating to human access to your AWS environment
sensitive_iam_actions Crowdsourced list of sensitive IAM Actions
Overhauling AWS account access with Terraform, Granted, and GitOps Duckbill breaks down their method of accessing thousands of client AWS accounts in a way that preserves ease-of-access, maintains data confidentiality, and still providing all the permissions needed

Root Principal

Link Notes
Summit Route Managing AWS root passwords and MFA How not use the root user account, and how to manage the credentials (password and MFA) for the root user effectively
Security Implication of Root principal in AWS An interesting way of abusing the AWS KMS for data exfiltration in restricted VPCs

Audit

Link Notes
Summit Route How to audit AWS IAM and resource policies
    Some general rules:
    • Beware that anything with Allow and Principal "*" is public
    • Never use Allow with NotPrincipal
    • Never use Allow with NotAction
Top ten AWS identity health checks to improve security in the cloud Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes

Cedar

Link Notes
How we designed Cedar to be intuitive to use, fast, and safe A deep dive into the design of Cedar, an open source language for writing and evaluating authorization policies
cedar-flask-demo A demo to show how you can use Cedar in Python, with a simple Flask based web application
Manage roles and entitlements with PBAC using Amazon Verified Permissions Post covering roles and entitlements, how they are applicable in apps authorization decisions, how customers implement roles and authorization in their app today, and how to shift to a centralized PBAC model by using Verified Permissions
Build an entitlement service for business applications using Amazon Verified Permissions A comprehensive and centralized approach to managing access policies, reducing administrative overhead, and empowering line-of-business users to define, administer, and enforce application entitlement policies

Federation

GSuite

Link Notes
How to use Google Workspace as an external identity provider for AWS IAM Identity Center How to set up Google Workspace as an external identity provider (IdP) for AWS IAM Identity Center