AWS IAM Security

This repository is an AWS IAM security case study. It shows how common IAM permissions can create privilege escalation paths, then documents the detections, evidence requirements, and remediation controls needed to review the same issues in an audit.

Table of Contents

• AWS IAM Security
  • Table of Contents
  • 1. Users vs Roles vs User Groups
    • 1.1 User Groups
    • 1.2 Users
    • 1.3 Roles
  • 2. Exploits
    • 2.1 IAM Privilege Escalation - sts::AssumeRole
    • 2.2 EC2 Privilege Escalation - ec2::RunInstances and iam::PassRole
    • 2.3 IAM Privilege Escalation - iam::CreateAccessKey
    • 2.4 IAM Privilege Escalation - iam::AddUserToGroup
  • 3. Mitigations
    • 3.1 AWS CloudTrail
    • 3.2 AWS Config
    • 3.3 AWS GuardDuty
      • 3.3.1 Running Nmap for Ping Sweep
      • 3.3.2 Unusual API Calls from unusual IP
    • 3.4 AWS IAM Access Analyzer
    • 3.5 AWS Organizations and SCP Guardrails
      • 3.5.1 Retest 1 - sts::AssumeRole Self-Escalation Path
  • 4. Audit Documentation
    • 4.1 Documentation Index
    • 4.2 Evidence Templates