IAM
Guides¶
| Link | Notes |
|---|---|
| AWS managed policies | A Managed Policy Reference Guide with 1k+ policies |
| Permissions Reference for AWS IAM | A website built in order to provide an alternate, community-driven source of truth for AWS identity |
| Effective IAM for AWS: A guide to realize IAM best practices | Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers |
| How to revoke federated users’ active AWS sessions | How to revoke access to specific users’ sessions on AWS assumed roles through the use of AWS IAM policies and SCPs |
Designing¶
| Link | Notes |
|---|---|
| Managing temporary elevated access to your AWS environment | Post discussing temporary elevated access and how it can mitigate risks relating to human access to your AWS environment |
| sensitive_iam_actions | Crowdsourced list of sensitive IAM Actions |
| Overhauling AWS account access with Terraform, Granted, and GitOps | Duckbill breaks down their method of accessing thousands of client AWS accounts in a way that preserves ease-of-access, maintains data confidentiality, and still providing all the permissions needed |
Root Principal¶
| Link | Notes |
|---|---|
| Summit Route Managing AWS root passwords and MFA | How not use the root user account, and how to manage the credentials (password and MFA) for the root user effectively |
| Security Implication of Root principal in AWS | An interesting way of abusing the AWS KMS for data exfiltration in restricted VPCs |
Audit¶
| Link | Notes |
|---|---|
| Summit Route How to audit AWS IAM and resource policies |
|
| Top ten AWS identity health checks to improve security in the cloud | Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes |
Cedar¶
| Link | Notes |
|---|---|
| How we designed Cedar to be intuitive to use, fast, and safe | A deep dive into the design of Cedar, an open source language for writing and evaluating authorization policies |
| cedar-flask-demo | A demo to show how you can use Cedar in Python, with a simple Flask based web application |
| Manage roles and entitlements with PBAC using Amazon Verified Permissions | Post covering roles and entitlements, how they are applicable in apps authorization decisions, how customers implement roles and authorization in their app today, and how to shift to a centralized PBAC model by using Verified Permissions |
| Build an entitlement service for business applications using Amazon Verified Permissions | A comprehensive and centralized approach to managing access policies, reducing administrative overhead, and empowering line-of-business users to define, administer, and enforce application entitlement policies |
Federation¶
GSuite¶
| Link | Notes |
|---|---|
| How to use Google Workspace as an external identity provider for AWS IAM Identity Center | How to set up Google Workspace as an external identity provider (IdP) for AWS IAM Identity Center |