Profile picture
, 9 tweets, 3 min read
My Authors
Read all threads
I've been using #AWS for 8+ years now, so IAM is relatively second-nature to me. But I just sat down to explain it to someone new to AWS and... wow, it is a confusing service. (thread) #aws #cloud #security #cloudcomputing
First, we've got policies - what can the role do and what services can it access? Policies are JSON-based (although AWS added a "friendlier" UI recently, which honestly creates some really confusing output). Most common security mistake here: using wildcards.
An IAM user or role can then have multiple policies, each with 1+ statements. Policies can be inline, AWS-managed, or account-managed (i.e. shared). Policies can be attached directly to users or roles or to the groups those users are in.
On top of policies, there are now "permission boundaries" which represent the broadest scope an IAM entity can have. These are also JSON-based. So... the policy you attached may not fully represent the scope of what the entity can do because the boundary may restrict it.
Some services, like KMS, ECR or S3, have additional policies that can be attached to their resources (e.g. keys, buckets or image repositories) that further restrict which IAM entities can access it. These combine with IAM policies in a two-way trust of sorts.
Finally, there are trust relationships for IAM roles - what AWS services and entities can utilize the role? *However*, trust relationships only define what can invoke the initial credential generation mechanism, not what services can actually *use* those credentials.
This has led to some interesting security incidents where attackers trick the EC2 metadata service into generating credentials on the instance's behalf and then use those credentials from a local laptop.
IMO, this entire tangled mess of roles, policies, permissions, trust statements, etc. has really made it difficult for new developers to AWS to design secure systems.
If IAM keeps you up at night, or you just want a refresher, I am working on an eBook that (hopefully) simplifies things a bit. Drop your email here and I'll ping you when the book goes live: forms.gle/bAcohu1Evf5rWu…
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Matt Fuller

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#aws #cloud #security #cloudcomputing

More from @matthewdfuller see all

Profile picture
Matt Fuller
@matthewdfuller
Been thinking a lot about #cloud #security lately and I am starting to believe that the "shared responsibility model" is fundamentally broken. Securing an storage bucket or server in the cloud shouldn't be as difficult as it is. Thread...
The big providers advertise how easy it is to deploy infrastructure in the cloud, but they don't seem to talk about how easy it is to screw it up and loose half the country's SSNs because of an extra * in a JSON policy. It doesn't help that the default settings are rarely secure.
We've got companies with 100s of engineers and combined decades of cloud security experience who are still getting it wrong. Not a day goes by without mass exfiltration of user data because of what amounts to really tiny mistakes.
Read 12 tweets

Related threads

Profile picture
Presidency Nigeria
@NGRPresident
Highlights of President Buhari’s New Year Message: #thread
“Today marks a new decade, a time of hope, optimism and fresh possibilities... the opportunity to build on the foundations we have laid together on security, diversification of our economy and taking on the curse of corruption.” — @MBuhari
“I will be standing down in 2023 and will not be available in any future elections. But I am determined to help strengthen the electoral process both in Nigeria and across the region, where several ECOWAS members go to the polls this year.” — @MBuhari
Read 40 tweets
Profile picture
Aminu_Israel
@Aminu_Israelb
#Thread
For those who want to learn Data Science as a goal for 2020 but don't know where to start from. I would share some key things you need to know and begin with. I hope you find them useful.
1. A programming language:
Yes, it is advisable to learn a programming language to journey into the field and core aspects of Data Science. The basic common ones are:
* Python
* R.
It is advisable to learn Python because the syntax are easy and it's a widely used language.
2. An IDE(Integrated development environment): An IDE is simply an application where you write your codes on. There are tons of IDE to use such as Jupyter Notebook, Pycharm, Google Colab etc, but for someone new, it's advisable you start with a Jupyter Notebook because it is ...
Read 16 tweets
Profile picture
Jeff Barr ☁️
@jeffbarr
I've been heads-down on final #AWS re:Invent blogging, and need to catch up on all of the posts from the last couple of days. Unroll this thread to see them all..
CloudTrail Insights: Identify and Respond to Unusual API Activity - aws.amazon.com/blogs/aws/anno… (@bwest )
Convert Your Single-Region Amazon DynamoDB Tables to Global Tables - aws.amazon.com/blogs/aws/new-… (@sebsto )
Read 11 tweets
Profile picture
Aijay
@Hejeoma
#Thread 1. My people make una no vex about the gist I promised to drop, the damn thing is too long & too explicit. I have been working with my team of directors at 'HBO' to edit & re-shoot. lol I go do am like 'Game of thrones' & drop it in episodes cos all cant fit in 25 extra
2. tweets as given by twitter. Episode 1:
Disclaimer: The stories I tell here are factions, that is they are a mixture of facts & fiction. What is fact/fiction is only known to me, this is primarily a creative enterprise using humor & plain story-telling skills to entertain,
3. teach & learn as well from your feedback. Please, note that names & incidences do not represent actual persons or experiences. I’m only using my literary license, not motor license O! (Rated 18+) James & Joan have been married for 5 years & have two kids together.
Read 155 tweets
Profile picture
Srujan
@acsrujan
A few weeks back, we've noticed our snapshot bills to grow weirdly high.. after some debugging, I've found the snapshot billing and way snapshots stored as an interesting concept..
As the graph says, the usage vs snapshot billing isn't growing proportionally linear.. (1/n)
I decided to debug how snapshots are billed.. fundamentally, snapshots are block-level backups of EBS volumes.. since AWS can't see data inside your block, they read disk blocks occupied and take a copy of them and store them as objects in their s3.. (2/n)
Every time there's a data change inside your EBS volume, by nature of linux and hard disks, the new blocks is where data is written.. So, AWS knows there's change of data (this could be deletion of data too) and marks those blocks as the difference in data..thus incremental (3/n)
Read 15 tweets
Profile picture
Victory®
@VictoryOlaleye
GOD, His people & The World’s Kingdoms/Empires

- What’s gone before.
- What is to come.
- The Gospel of the Kingdom.

* Missed the Rapture? What to Expect.

#Thread
Ever since God created the Earth in Genesis 1, He willed it to be ruled by Man whom He created; hence Adam was the first world governor & emperor and he was so, under God.
But by disobedience to God & obedience to Satan, Adam changed masters; and though the governing of the earth was still through human agency, Satan became the god of this world’s systems (2 Cor. 4:4).
Read 117 tweets

Trending hashtags

#travesty #absurd #thoughts #Lovely #Iquique #EveningTroll #shitshow #Hader #universally #Astana #Clues #AlejandroFleming #Concepcion #Kashmir #History #THANKYOU #Bitches #Love #EstadoEmergencia #Carabineros #dontlie #FAMAE #INSANE #VicunaMackenna #JESUSTAKETHEWHEEL
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!