, 9 tweets, 3 min read
My Authors
Read all threads
I've been using #AWS for 8+ years now, so IAM is relatively second-nature to me. But I just sat down to explain it to someone new to AWS and... wow, it is a confusing service. (thread) #aws #cloud #security #cloudcomputing
First, we've got policies - what can the role do and what services can it access? Policies are JSON-based (although AWS added a "friendlier" UI recently, which honestly creates some really confusing output). Most common security mistake here: using wildcards.
An IAM user or role can then have multiple policies, each with 1+ statements. Policies can be inline, AWS-managed, or account-managed (i.e. shared). Policies can be attached directly to users or roles or to the groups those users are in.
On top of policies, there are now "permission boundaries" which represent the broadest scope an IAM entity can have. These are also JSON-based. So... the policy you attached may not fully represent the scope of what the entity can do because the boundary may restrict it.
Some services, like KMS, ECR or S3, have additional policies that can be attached to their resources (e.g. keys, buckets or image repositories) that further restrict which IAM entities can access it. These combine with IAM policies in a two-way trust of sorts.
Finally, there are trust relationships for IAM roles - what AWS services and entities can utilize the role? *However*, trust relationships only define what can invoke the initial credential generation mechanism, not what services can actually *use* those credentials.
This has led to some interesting security incidents where attackers trick the EC2 metadata service into generating credentials on the instance's behalf and then use those credentials from a local laptop.
IMO, this entire tangled mess of roles, policies, permissions, trust statements, etc. has really made it difficult for new developers to AWS to design secure systems.
If IAM keeps you up at night, or you just want a refresher, I am working on an eBook that (hopefully) simplifies things a bit. Drop your email here and I'll ping you when the book goes live: forms.gle/bAcohu1Evf5rWu…
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Matt Fuller

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!