Identity Access Management on AWS

AWS offers many different methods for users to authenticate their accounts through the IAM service, the most common of which include user accounts and roles. IAM users provide means of setting up credentials for something that needs long-term access to the environment. Users can access the AWS APIs by authenticating with the web UI using a username and password, or by using API keys (an access key ID and secret access key) to programmatically make requests.

Roles, on the other hand, provide means of delegating temporary credentials to users/services/applications as they need them. An IAM user who has the sts:AssumeRole permission can assume a role to get a set of API keys (an access key ID, secret access key, and session token) that are only valid for a small amount of time. When default, the lifespan is set to one hour before these keys will expire. These keys will have the permissions that were assigned to the role that was assumed, and they are often used to complete certain tasks. By using this model, the AWS users in an environment will not always have every single permission that they may need to use; instead, they can request the permissions that a role has as they need those permissions. This allows for more strict auditing and permissions management.

There are also resources in AWS IAM known as groups. Groups can be used to delegate a common set of permissions to a group of users. In an example AWS environment, there may be a group called developers that provides access to services that the company developers need access to. Then, users can be added to the group, and they will inherit the permissions associated with it. Users will only retain the provided permissions for as long as they are a member of the associated group. A single user can be a member of up to 10 separate groups and a single group, can hold up to the total number of users that are allowed in the account.

IAM users, roles, and groups are important to our attack process and for our basic understanding of the AWS infrastructure. This chapter aims to provide insight into some common features of the IAM service and how we might use them as regular AWS users and as attackers.

In this chapter, we will be using the IAM service to cover the following topics:

  • How to create IAM users, groups, roles, and associated privileges
  • How to limit the API actions and resources accessible to a specific role
  • Using IAM access keys
  • Signing AWS API requests
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.45.92