Skip to content

IAM

Guides

Link Notes
AWS managed policies A Managed Policy Reference Guide with 1k+ policies
Permissions Reference for AWS IAM A website built in order to provide an alternate, community-driven source of truth for AWS identity
AWS IAM Policy Condition Operators Explained There are 27 basic condition operators you can use in an AWS IAM policy. Then you can add "ForAllValues" or "ForAnyValue" to the beginning and "IfExists" to the end of almost all of them
Effective IAM for AWS: A guide to realize IAM best practices Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers
How to revoke federated users’ active AWS sessions How to revoke access to specific users’ sessions on AWS assumed roles through the use of AWS IAM policies and SCPs
The state of ABAC on AWS SummitRoute describes the limitations of AWS related to tagging and the steps AWS needs to take to improve this situation
AWS Access Key ID formats Post explaining the encoding for most AWS access key IDs
The many ways to obtain credentials in AWS Post exploring how AWS services provide IAM credentials, and teaching key risks and detection strategies to secure your cloud environment against credential misuse
How does Sendbird secure AWS? How Sendbird matured its AWS security posture, empowering developers to deploy in a way that's both user-friendly and secure
A new type of long-lived key on AWS: Bedrock API keys AWS has introduced a new type of long-lived key called Bedrock API keys, which are used for authenticating applications. These keys are created through the IAM API and can have an expiration time set, but there's no way to enforce this via IAM policy conditions
Simplify access to external services using AWS IAM Outbound Identity Federation AWS IAM now enables outbound identity federation, allowing developers to securely authenticate AWS workloads with external services using short-lived JSON Web Tokens instead of storing long-term credentials like API keys and passwords

Designing

Link Notes
Managing temporary elevated access to your AWS environment Post discussing temporary elevated access and how it can mitigate risks relating to human access to your AWS environment
Refining IAM Permissions Like A Pro How to detect unused IAM permissions and update them to move safely toward a least privilege environment
AWS IAM: A Comprehensive Guide Toward Least Privilege Some AWS mechanisms we can use to achieve more robust permissions on AWS: Organizations, SCPs, IAM Access Analyzer, permission boundaries, and more
Implementing Security Invariants in an AWS Management Account Chris Farris discusses the implementation of security invariants within an AWS management account, specifically the payer account where organizational policies do not apply
sensitive_iam_actions Crowdsourced list of sensitive IAM Actions
Overhauling AWS account access with Terraform, Granted, and GitOps Duckbill breaks down their method of accessing thousands of client AWS accounts in a way that preserves ease-of-access, maintains data confidentiality, and still providing all the permissions needed
Enforcing Least Privilege in AWS IAM with Access Analyzer and Last Access Data A practical guide on enforcing least privilege in AWS IAM by using IAM Access Analyzer and service Last Accessed data. Includes real workflows, auditing strategies, and automation tips
Strategies for achieving least privilege at scale Nine strategies for achieving least privilege at scale: Part 1, Part 2
CIEM
Secure AWS credentials
Cross-account role trust policies should trust AWS accounts, not roles A role trust policy that trusts a specific principal suggests that only that source principal has access to it, but it does not control access to that source principal, and so makes it seem like it limits access when it may not

Root Principal

Link Notes
Summit Route Managing AWS root passwords and MFA How not use the root user account, and how to manage the credentials (password and MFA) for the root user effectively
Security Implication of Root principal in AWS An interesting way of abusing the AWS KMS for data exfiltration in restricted VPCs
Hands-On Security Tips For Centralize Root Access In AWS AWS has recently introduced a centralized root access management feature for AWS Organizations. This blog covers why this is important, how it changes root access management, and tips for how to handle this new feature
Secure root user access for member accounts in AWS Organizations How you can centrally manage root credentials and perform tasks that previously required root credentials across member accounts in your organization
Exploring AWS STS AssumeRoot A post from the Elastic team exploring AWS STS AssumeRoot, its risks, detection strategies, and practical scenarios to secure against privilege escalation and account compromise

Audit

Link Notes
Summit Route How to audit AWS IAM and resource policies
    Some general rules:
    • Beware that anything with Allow and Principal "*" is public
    • Never use Allow with NotPrincipal
    • Never use Allow with NotAction
Top ten AWS identity health checks to improve security in the cloud Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes
Detect Console Actions
  • Detecting Manual AWS Console Actions
  • Setup Cloudtrail alerting rules that let you detect when someone makes a manual change in the AWS Console
Detecting Manual AWS Actions: An Update!
  • An updated version of how to detect manual AWS actions from employees
  • The approach we take at my current employer is instead the following:
    • The only way that employees can access AWS is through Okta / AssumeRoleWithSAML. There are no other mechanisms for an employee to get access to AWS (zero IAM users, etc)
    • When someone assumes an employee role, Okta is configured to set the AWS role session name to be the employee email address
  • We created a second alert which triggers on calls to AssumeRole where the original session name ended in @employer.com and the new session name is not identical to the original
Root in prod: The most important security analysis you will never do on your AWS accounts This article outlines steps for identifying AWS accounts, determining which ones are truly production, and analyzing access levels, including finding users and roles with AdministratorAccess

Cedar

Link Notes
How we designed Cedar to be intuitive to use, fast, and safe A deep dive into the design of Cedar, an open source language for writing and evaluating authorization policies
cedar-flask-demo A demo to show how you can use Cedar in Python, with a simple Flask based web application
Manage roles and entitlements with PBAC using Amazon Verified Permissions Post covering roles and entitlements, how they are applicable in apps authorization decisions, how customers implement roles and authorization in their app today, and how to shift to a centralized PBAC model by using Verified Permissions
Build an entitlement service for business applications using Amazon Verified Permissions A comprehensive and centralized approach to managing access policies, reducing administrative overhead, and empowering line-of-business users to define, administer, and enforce application entitlement policies
SaaS access control using Amazon Verified Permissions with a per-tenant policy store How you can use Amazon Verified Permissions for access control in a multi-tenant document management SaaS application using a per-tenant policy store approach

Federation

GSuite

Link Notes
Configure SAML and SCIM with Google Workspace and IAM Identity Center How to set up Google Workspace as an external identity provider (IdP) for AWS IAM Identity Center
Leveraging AWS SSO with Google Workspaces A Better way to configure AWS Identity Center to use Google Workspace/Cloud Identity with SCIM Support