π° IAM β
π What is IAM ? β
AWS Identity and Access Management (IAM) is a service that helps you securely control access to AWS resources. IAM enables you to manage users, groups, and roles, and define their permissions to access specific AWS services and resources. It provides the foundation for managing access control in AWS, ensuring that the right users have the appropriate access to the resources they need.
#οΈβ£ Root User β
The root user is created when you first set up your AWS account. This user has full administrative privileges and unrestricted access to all resources in the AWS account. It is recommended to use the root user only for tasks that require root-level access and to create IAM users for daily administrative tasks.
π₯ IAM Users β
IAM users are created and managed within your AWS account. Each user has a unique set of security credentials and permissions defined by IAM policies. IAM users are used to interact with AWS services through the AWS Management Console, AWS CLI, or AWS SDKs.
β° Long-Term Credentials β
Long-term credentials consist of an access key ID and a secret access key, which are associated with an IAM user. These credentials do not expire and are used for programmatic access to AWS services. It is important to rotate these credentials regularly to enhance security.
β Short-Term Credentials β
Short-term credentials are temporary and are generated using AWS Security Token Service (STS). These credentials include an access key ID, a secret access key, and a session token. They are used to grant temporary access to AWS resources and expire after a specified duration. Short-term credentials are often used for roles and federated users.
π§ Federated users β
Federated users are users who are authenticated outside of AWS but are granted temporary access to AWS resources. Instead of creating IAM users for each external user, AWS supports federated access, which allows users from external identity providers (such as corporate directories or social identity providers) to access AWS resources using temporary credentials. This approach is more scalable and secure, as it eliminates the need to manage individual IAM users for external entities and leverages existing authentication systems.
π¦ Stored Credentials β
Stored credentials refer to the practice of saving AWS access keys and secrets in specific locations on your filesystem so that AWS CLI and SDKs can easily retrieve and use them. Properly managing these stored credentials is crucial for maintaining the security and integrity of your AWS environment.
How AWS Stores Credentials ? β
When using AWS CLI or SDKs, credentials are typically stored in two main files :
- Configuration File (config): This file contains configuration settings such as default region and output format.
- Credentials File (credentials): This file holds the actual access keys and secret access keys used to authenticate and authorize AWS CLI commands and API requests.
Location of Stored Credentials β
The location of these files varies depending on the operating system :
- Windows: The credentials and configuration files are typically located at :
C:\Users\<username>\.aws- Linux/Mac: On Unix-like systems, these files are typically found at :
/home/<username>/.awsπ΅ AWS-CLI β
The AWS-CLI is a tool that allows you to interact with AWS services from the command line. You can configure the AWS CLI with profiles to manage multiple sets of credentials.
aws config --profile auditorConfiguring and Validating Temporary Credentials β
To configure the AWS CLI with temporary credentials for a specific profile, use the following commands :
aws configure set aws_access_key_id [key-id] --profile ec2
aws configure set aws_secret_access_key [key-id] --profile ec2
aws configure set aws_session_token [token] --profile ec2π Enumeration β
Users β
- List of IAM Users
aws iam list-users- List the IAM Groups That a User Belongs To
aws iam list-groups-for-user --user-name [user-name]- List All Managed Policies Attached to a User
aws iam list-attached-user-policies --user-name [user-name]- List the Names of Inline Policies Embedded in a User
aws iam list-user-policies --user-name [user-name]Groups β
- List of IAM Groups
aws iam list-groups- List All Users in a Group
aws iam get-group --group-name [group-name]- List All Managed Policies Attached to a Group
aws iam list-attached-group-policies --group-name [group-name]- List the Names of Inline Policies Embedded in a Group
aws iam list-group-policies --group-name [group-name]Roles β
- List of IAM Roles
aws iam list-roles- List All Managed Policies Attached to a Role
aws iam list-attached-role-policies --role-name [role-name]- List the Names of Inline Policies Embedded in a Role
aws iam list-role-policies --role-name [role-name]Policies β
- List of All IAM Policies
aws iam list-policies- Retrieve Information About a Specific Managed Policy
aws iam get-policy --policy-arn [policy-arn]- List Information About Versions of a Managed Policy
aws iam list-policy-versions --policy-arn [policy-arn]- Retrieve Information About a Specific Version of a Managed Policy
aws iam get-policy-version --policy-arn [policy-arn] --version-id [version-id]- Retrieve the Inline Policy Document Embedded in a User, Group, or Role
aws iam get-user-policy --user-name [user-name] --policy-name [policy-name]
aws iam get-group-policy --group-name [group-name] --policy-name [policy-name]
aws iam get-role-policy --role-name [role-name] --policy-name [policy-name]