Pentest Documentation

Appearance

⭐ Policies ​

πŸ“š What are IAM Policies ? ​

IAM policies are JSON documents that define permissions for actions on AWS resources. These policies are used to specify who has access to what resources and what actions they can perform. Policies enable fine-grained access control across all AWS services and resources.

🏒 Managed Policies ​

Managed policies are standalone policies that you can create and manage separately from the identities (users, groups, and roles) to which they are attached. They can be reused across multiple identities and can be categorized into two types :

  1. AWS Managed Policies: These are created and managed by AWS. They are designed to provide permissions for many common use cases and are maintained by AWS, meaning they are updated automatically as new services and features are introduced.
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
  1. Customer Managed Policies: These are created and managed by the user. They provide more flexibility and control compared to AWS managed policies. Users can create policies tailored to their specific requirements and update them as needed.
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dynamodb:PutItem", "dynamodb:GetItem"],
      "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Books"
    }
  ]
}

πŸ›Ό Inline Policies ​

Inline policies are policies that you create and manage directly within a specific user, group, or role. They are tightly coupled to the identity to which they are attached, meaning they are deleted if the identity is deleted. Inline policies are useful for defining specific permissions that should not be shared and are unique to a particular identity.

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:StartInstances",
      "Resource": "arn:aws:ec2:us-west-2:123456789012:instance/*"
    }
  ]
}

πŸ“Œ Attachments and Associations ​

Users, Groups, and Roles ​

Policies can be attached to the following IAM entities :

  • Users: Individual users can have managed or inline policies attached to them to define what AWS resources they can access and what actions they can perform.

  • Groups: Policies attached to groups apply to all users that are members of the group. This simplifies permission management by allowing you to manage permissions for multiple users in one place.

  • Roles: Roles are used to delegate permissions to AWS services or other AWS accounts. Policies attached to roles define what actions the role can perform and on which resources. Roles are often used with services like EC2, Lambda, and others to grant them the necessary permissions to perform actions on AWS resources.