Understanding the AWS zone of trust
Understanding the zone of trust is critical if you want to secure your AWS resources....
Category:
iam
7 Articles
7
All about the AWS Identity & Access Management service
AWS IAM Access Analyzer Policy Validation Checks
While I found the recently announced list of checks that IAM Access Analyzer performs on your policies buried deep in the documentation, it wasn't as easy to navigate as I would've liked. Here's the full list of the check names, since most of them are pretty self explanatory: Error – ARN account not allowed Error – ARN...
AWS IAM:PassRole explained
A common point of confusion when getting started with AWS IAM, and when trying to implement "least privileges" on IAM is the message "is not...
Effective Actions for AWS IAM
TL;DR I made Effective IAM Actions [https://bigorange.cloud/actions/], a small tool to expand wildcards "*"in IAM Policy Actions [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html] so that you can see explicitly what permissions are granted by a policy. It supports multiple statements in each policy, Allow...
Don't use Tags to Manage Permissions in AWS
The main problem is this: By using tags for authorisation, you have a multitude of completely new - per-service - actions that can be used to compromise your security posture....
Federated CodeCommit Access
CodeCommit access via federated credentials is the way to go. You're not using long-lived Access Keys are you? Bad engineer! Stop that! For better or worse, federated IAM access requires you to use the HTTPS endpoint with a git credential helper. Adding the following to your ~/.gitconfig file (obviously set the region value as appropriate)...