Neko

AWS IAM

Intro to IAM

Last updated: May 4th, 2023

Review

Principles

  • Root
    • Represents the accounts owner
    • Reset passwords are usually a weakness of AWS root accounts that don't have MFA
    • aws organization describe-organization
  • IAM Users
    • Most basic principle
    • Represent people or apps
    • aws iam list-users
aws iam list-access-keys --user-name username
  • Roles
    • Enables trust because of assume-role
    • aws iam list-roles
  • *
    • Everyone, could be anyone on the internet or any AWS Costomer

Permissions

  • IAM Policies
    • Attached to specific principles and define the resources a principle can act on.
    • Contain:
      • Optional SID
      • Action - What the policy explicitly allows or denies
      • Resources - The ARNs of resources the statement applies to
      • Effect - Either Allow or Deny
      • Condition - Optional conditions
    • aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
    • Action
      • Consist of a service and an API call
    • Resource
      • A resource is always in an ARN format or a wildcard to represent any resource
      • Essential for least privilege
    • Effect
      • Explicit allow or deny
    • Principal
      • Can be AWS Account, IAM roles, Role sessions, IAM users, Federated user sessions, services, or everyone.
    • Conditions
      • Evaluate against specific keys and values
  • Resource Policies
    • Attached to a resource and define the Principles that can act on the resource
  • Service Control Policies
    • A function of Organizations
    • Apply to all principles in the AWS account
    • Users cannot view

Credentials

  • Root Password
    • If the acct was created before 2017, it is the same as retail.
    • If the acct was created via the CreateAccount API call, it is a random string
    • Login and pw reset available on the main sign-in page.
  • IAM Login
    • LoginProfile is the term used to describe the users console pass
    • IAM users can be granted access to AWS console from the Security Credentials tab or via CLI:
      aws iam create-login-profile --user IAM-User --password 'Password123'
    • You can also change a password: 
      aws iam update-login-profile --user IAM-User --password '123Password'
    • And display password policy: 
      aws iam get-account-password-policy
  • AWS API Access Key
    • Long Term
      • Begin with AKIA
      • Create Key: 
        aws iam create-access-key --user-name student
      • Disable Key: 
        aws iam update-access-key --access-key-id AKIA... --status Inactive
      • Delete Key: 
        aws iam delete-access-key --access-key-id AKIA...
      • Identify Acct: 
        aws sts get-access-key-info --access-key-id AKIA...
    • Temporary Session
      • Begin with ASIA
      • Must be requested, cannot be created: 
        aws sts get-session-token

IAM Initial Access

IAM Enumeration