AWS IAM — Overview
Status: Scaffold — content in progress
AWS Identity and Access Management (IAM) controls authentication and authorization for all AWS API calls. Unlike AD where the protocol is Kerberos, in AWS every action is an API call signed with credentials.
IAM Principals
| Type | Description | Attack Risk |
|---|---|---|
| IAM User | Long-term credentials (access key + secret) | Key leakage, no rotation |
| IAM Role | Assumed temporarily via STS | Role chaining, SSRF → IMDS |
| Federated User | External identity via SAML/OIDC | Golden SAML |
| AWS Service | Resource-based policy targets | Cross-service privilege escalation |
| Root Account | God-mode — no restrictions | Must be locked with MFA |
Policies
| Type | Attached To | Scope |
|---|---|---|
| Identity-based | User/Role/Group | What the principal can do |
| Resource-based | S3 bucket, SQS, etc | Who can access the resource |
| Permission boundary | User/Role | Maximum permissions cap |
| SCP (Organizations) | Account/OU | Organization-wide cap |
Privilege Escalation Primitives
iam:PassRole— pass a higher-privilege role to a serviceiam:AttachUserPolicy— attach new policy to selfiam:CreateLoginProfile— create console access for user without itiam:CreateAccessKey— create new access keys for another userlambda:CreateFunction+iam:PassRole— create Lambda that runs with high-privilege role
Telemetry
AWS CloudTrail logs every API call: principal, action, resource, source IP, response.
Key events: AssumeRole, GetSessionToken, AttachUserPolicy, CreateUser, CreateAccessKey
Cross-Links
| Topic | Link |
|---|---|
| AWS STS | aws-sts |
| Hybrid Attack Chains | hybrid-attack-chains |