📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Users
  • IAM User Properties:
  • IAM User Groups
  • Roles
  • AssumeRole:
  • Role Chaining
  • Security Token Service (STS)
  • Access Analyzer
  • Policies
  • External Access Policies:
  • Policy Examples:
  • Identity Based
  • Resource Based:
  • Service Control Policy:
  • IR Policies:
  • Policy Evaluation:
  1. Enterprise Architecture
  2. The Cloud
  3. AWS
  4. Fundementals

IAM

PreviousSecurity ServicesNextKeys

Last updated 2 months ago

Users

  • Each account has it's own root user. This user can do anything in that account and cannot be disabled.

  • SCP can be used to deny every call for the root account. While it doesn't disable it and people can still log in, it can't do anything.

  • Management account = a root user too

  • Best to limit the amount of IAM users because they are usually over permissioned.

  • Federated user/SSO: Can be federated with Okta or Entra ID.

CLI/Cloudshell:

aws iam list-users

IAM User Properties:

  • Groups

    A list of group names to which you want to add the user.

  • LoginProfile

    Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.

  • ManagedPolicyArns

    A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user.

  • Path

  • PermissionsBoundary

    The ARN of the managed policy that is used to set the permissions boundary for the user.

    A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions.

  • Policies

  • Tags

  • UserName

    The name of the user to create. Do not include the path in this value.

IAM User Groups

  • Users can be listed together in IAM User Groups and permissions can be assigned to the group.

CLI/Cloudshell:

aws iam list-groups

Roles

  • A role has two major components

    • What the role is allowed to do → (IAM permissions policy)

    • Who is allowed to take on the role → (trust policy)

  • Taking a role in AWS is called an AssumeRole action this allows us to temporarily take on a role without needing an IAM user and credentials in the target account

  • The service that makes this possible in AWS is Security Token Service (STS).

    • STS gives temporary credentials for a role.

  • Cross tenant access

    • Roles can be assumed from a different AWS tenant (attacker > victim).

      • IAM role trust policy allows external user to AssumeRole.

    • Won't detect this in IAM users or IAM policies, because it is defined in the IAM roles.

AssumeRole:

  • Provides temporary access key for user to use.

CLI/Cloudshell:

aws sts assume-role --role-arn EXAMPLE --role-session-name EXAMPLE
  • Provide credentials to .env variables in AWS CLI to assume role automatically.

Role Chaining

  • Roles can also assume other roles which is called role chaining which makes it even more complex to investigate who was ultimately responsible.

Security Token Service (STS)

  • Expiration time on tokens is definable.

    • Because sessions for access keys expire; if the TA has extended access, there will be multiple access keys for us to investigate.

  • Minimum access key lifetime: 15 mins

Access Analyzer

  • Paid service that helps find 'dangerous' roles as well as finding over permissioned roles and potentially roles you don’t need any more.

  • External access findings (FREE)

    • Review any IAM roles/policies for Public Access

    • Review any IAM roles/policies for Cross-Account Access

  • Unused access findings (PAID)

    • Finds unused roles, access keys, IAM user that are obsolete.

  • Takes hour or hours to run.

Policies

  • Big 3 policies (seen most often):

    • Identity based

      • Assigned to identities (IAM users, IAM groups)

    • Resource based

      • Assigned to resources (S3s, EC2s, etc).

      • Example: Allow a specific IP to talk to an S3 bucket only.

    • Service Control Policy (SCP)

      • Assigned to organization OUs. Used to set guardrails in AWS.

External Access Policies:

  • Identity-based policies cannot expose your resources in your AWS account to principals that exist outside of your AWS account.

  • If you want to grant a principal outside of your AWS account access to your AWS account, you must use a resource-based policy.

Policy Examples:

Identity Based

  • Effect:

    • Allow or deny (default is deny).

  • Action:

    • The specific API calls (Get, Put, Post, etc)

  • Resource:

    • Object the policy is applied to.

Resource Based:

  • Effect:

    • Allow or deny (default is deny).

  • Action:

    • The specific API calls (Get, Put, wildcard *)

  • Principal:

    • Allows external accounts to access resource.

  • Resource:

    • Resource the policy is applied to.

Service Control Policy:

  • Effect:

    • Allow or deny (default is deny).

  • Action:

    • The specific API calls (Get, Put, wildcard *)

  • Resource:

    • OU the policy is applied to.

    • Applied to all AWS accounts under OU.

  • Condition:

    • Boolean conditions that policy abides by.

IR Policies:

Policy Evaluation:

  • By default everything is denied, unless there is an allow somewhere along the evaluation.

    • If there is an explicit deny somewhere along the hierarchy, it will be denied.

    • If there is an allow in the hierarchy, it will be allowed. UNLESS there is an explicit deny lower in the chain.

  • Organization SCP:

    • If there is a deny at this stage, the evaluation will stop before looking at the lower level policies.

The path for the user name. For more information about paths, see in the IAM User Guide.

Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see .

A list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see in the IAM User Guide.

IAM identifiers
Declaring an IAM User Resource
Tagging IAM resources
https://yehudacohen.substack.com/p/a-quick-overview-of-aws-principals
AWS::IAM::User - AWS CloudFormationAWS CloudFormation
Logo
AWS::IAM::Group - AWS CloudFormationAWS CloudFormation
Logo
Policy evaluation logic - AWS Identity and Access ManagementAWS Identity and Access Management
Logo