AWS Identity and Access Management (IAM)

Thread🧵

#aws #AWS #DevOpsCommunity
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated and authorized to use resources.
IAM features

1-Shared access to your AWS account
2-Granular permissions
3-Secure access to AWS resources for applications that run on Amazon EC2
4-Multi-factor authentication (MFA)
5-Identity federation
Accessing IAM

1-AWS Management Console
2-AWS Command Line Tools
3-AWS SDKs
4-IAM HTTPS API
How IAM works

The IAM infrastructure includes the following elements:
•Terms
•Principal
•Request
•Authentication
•Authorization
•Actions or operations
•Resources
IAM Best Practices

1-Avoid the use of root account unless strictly necessary
2-Use temporary credentials
3-Embrace the least privilege principle and review all IAM permissions periodically
4-Enforce the least privilege principle to be implemented bi-directionally
5-Monitor account activity regularly using IAM Access Analyzer and AWS CloudTrail
6-Use Multi-Factor Authentication (MFA)
7-Enforce strong passwords

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tushar Verma 🇮🇳

Tushar Verma 🇮🇳 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @e11i0t_4lders0n

May 8
Facing problem in making your own recon methodology

Follow this thread 🧵

#bugbounty #bugbountytip #bugbountytips
1: The Bug Hunter's Methodology v4.0 - Recon Edition
2: Fundamentals of Bug Bounty Recon
Read 6 tweets
May 8
SQLi Manual Approach

Thread 🧵

#bugbounty #bugbountytip #bugbountytips
First thing to test for an SQL injection is to try to break the query,with the intention of getting the syntax of how SQL is getting input at the backend.This technique works in UNION/Error based SQL Injections,where we force the backend database to throw an error.
Using this technique,we can somehow determine the backend query structure to efficiently exploit SQL Injection.Query can be broken by throwing various characters as input.
Read 9 tweets
Mar 16
GitHub Recon for Bug Bounty

A thread 🧵

#bugbounty #bugbountytip #bugbountytips
What is Github Recon??

Finding out essential information using several features offered by GitHub
GitHub Dorks
filename:.npmrc _auth

filename:.dockercfg auth

extension:pem private

filename:id_rsa or filename:id_dsa

extension:sql mysql dump

extension:sql mysql dump password

filename:credentials aws_access_key_id

filename:wp-config.php

filename:.htpasswd
Read 7 tweets
Mar 7
Big Problem faced by many bug bounty hunter

1-Company is not replying to your reports/findings
2-Company is closing your report without giving suitable reasons

How to minimise this???

Follow this thread 🧵

#bugbounty #bugbountytip #bugbountytips
First and easy solution use any bug bounty platform like @Bugcrowd, @Hacker0x01, @yeswehack, @intigriti etc etc because atleast you will get response in a fixed time. But many have there own bug bounty program and not hosted on these platforms.
So first send them a email asking if they are having any bug bounty program,ask each and every details like about their VRT, scope, vulnerabilities they accept. This will help you understand about how much active that rdp is and also what’s in scope.
Read 4 tweets
Mar 6
How to start Bug Bounty Hunting

Follow this thread 🧵

Note:I m assuming that you have cleared your basics

#bugbounty #bugbountytip #bugbountytips
Start with learning how to use Burpsuite basics, there are many tutorials available on internet which you can refer. Why it is important?because it is important 🤪

Now you can start @PortSwigger Academy. They have a learning path you can follow that or you can follow owasp list
Make a list and start reading the @PortSwigger Vulnerabilities Notes and solve the labs so clear your concepts. Make sure you are making a detailed notes for yourself because there are so much to learn you may forget some things. For notes-making i use @NotionHQ .
Read 16 tweets
Dec 3, 2021
Cloud Metadata Dictionary useful for SSRF Testing

## IPv6 Tests

http://[::ffff:169.254.169.254]

http://[0:0:0:0:0:ffff:169.254.169.254]

#bugbountytips #bugbounty #bugbountytip
## AWS

# Amazon Web Services (No Header Required)

# from docs.aws.amazon.com/AWSEC2/latest/…

http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy

http://169.254.169.254/latest/user-data

http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]

http://169.254.169.254/latest/meta-data/ami-id

http://169.254.169.254/latest/meta-data/reservation-id

http://169.254.169.254/latest/meta-data/hostname
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(