AWS IAM

Stories about AWS IAM by Teri Radichel

Teri Radichel
Cloud Security
Published in
13 min readMay 15, 2023

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | IAM | Cloud Governance

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AWS IAM Identity Center (and why I am not using it).

This is where I started over…

SCIM — pros and cons.

Creating a new AWS account from scratch. Best practices including IAM considerations.

Why you might want to have separate IAM administrators

Consider permissions and separation of duties when constructing your AWS IAM architecture for new AWS accounts.

AWS CLI Profile with MFA

I love Yubikeys! Here’s why I don’t use one with the AWS CLI.

Use an external ID with third parties and MFA for additional security when using a cross-account role.

How to switch between roles using the AWS console.

Cross-account role with MFA deployed with CloudFormation.

Creating a cross account role to manage websites in a Sandbox-Web account from a Sandbox account.

A script to troubleshoot cross-account roles.

Using a common AWS IAM Role template to reduce misconfigurations.

You can’t directly assign a Group to a trust policy in AWS but you can simulate it using this code.

Permission Boundaries for IAM Users and Roles

The AWS Organizations default role is very broad. Here are some considerations.

Create User privilege escalation.

Confused Deputy Attack.

Considerations for deploying your AWS account strucure and organizational units. It affects your AWS IAM architecture.

Create credentials to which no one has access. AWS now has a way to do this for new RDS (database) instances which came out after I wrote this.

Limiting CloudFormation Stacks a Principal Can Update

What is an identity provider (IdP) and why you need one.

AWS Okta and IAM. More stories on Okta with AWS.

KMS Key Administrator and IAM Policy.

Conditions help you create reusable and more secure CloudFormation templates.

SCPs do not apply to the root user or account in an AWS Organization.

Using AWS IAM roles with Boto3 (python SDK).

Creating functions to use assumed role credentials.

Configure a role profile using the AWS CLI

How multiple active sessions defeat segregation of duties.

Compromising an AWS CLI Session.

Create IAM users with CloudFormation

C2 channel via WordPress and an AWS IAM role.

Creating Zero Trust AWS Policies.

Passing a role for a trust policy into a CloudFormation template and why you might not want to do that.

Avoid double negatives in policy and code to avoid confusion, bugs and unnecessary compute cycles.

Creating user-specific console access.

IAM and CloudFormation Naming Conventions

Adding multiple Yubikeys or other MFA devices to your IAM user and why you should do that.

Refreshing AWS credentials with Python — this used to work. Someone told me something changed that may have introduced a bug. I haven’t had time to look into it.

IAM policies for AWS CodeCommit.

Simplifying deployment scripts with IAM in mind.

The problem with BoolIfExists in AWS Sample MFA conditions in code all over the AWS website (for now — hopefully will be removed, changed, or clarified.)

Restricting users to modifying their own MFA devices. You can do this for hardware, but not virtual devices.

Restricting users from modifying other users’ credentials — it’s not easy because at the time of this writing, AWS does not consistently pass a user ARN as a resource. Hopefully that will change.

Ending an AWS CLI Assumed Role Session — where are all your credentials and deleting them on your system is not enough.

How do AWS IAM Permission Boundaries really work?

Using Credentials with Batch, Lambda, EC2, and containers

Using credentials in a custom bash Lambda runtime I created that uses containers with Lambda.

Enforcing MFA when using git actions even though GitHub doesn’t support that at the time of this writing.

Tried to use MFA with Lambda. Can’t currently get it working. I don’t think I’m doing anything wrong because it works in the local container but not in Lambda. Might revisit later.

Using MFA with AWS Batch — I gave up because it was too complex and expensive for my needs and wants.

Passing credentials to a container (such as short term credentials obtained by assuming a role that requires MFA in the trust policy.)

Having an EC2 instance assume a role on startup with MFA and pass it to a container.

Getting errors assuming a role? These might help:

Related on Multifactor Authentication (MFA) and Yubikeys.

Related on the evaluation of a policy with multiple conditions:

Multiple accounts and environments — reworking to support

Protecting against use of insecure SSH algorithms.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author
: Cybersecurity Books
⭐️ Presentations
: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a
penetration test or security assessment
🔒 Schedule a
consulting call
🔒
Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

❤️ Sign Up my Medium Email List
❤️ Twitter:
@teriradichel
❤️ LinkedIn:
https://www.linkedin.com/in/teriradichel
❤️ Mastodon:
@teriradichel@infosec.exchange
❤️ Facebook:
2nd Sight Lab
❤️ YouTube:
@2ndsightlab

--

--

CEO 2nd Sight Lab | Penetration Testing & Assessments | AWS Hero | Masters of Infosec & Software Engineering | GSE 240 etc | IANS | SANS Difference Makers Award