Cloud Identity and Access Management (IAM) with AWS.md - Juan-bit94/Ops401D10 GitHub Wiki

Cloud Identity and Access Management (IAM) with AWS

This topic matters because it helps to understand how an attack can happen, what went wrong, and what can be done in the future to improve security.
IAM with AWS (and/or other cloud providers) are important to implement since the hacker gained access to credentials that had broad permissions to companies infrastructure.

The first command was the "Get Credentials", when executed it obtained security credentials known as WAF.Role account (an IAM account) for an elevated role access AWS Web Application Firewall (WAF).
The second command was the "List Buckets", this command when executed will use the security credentials to list files and folders within S3 buckets (AWS storage solution)
The third command is download files, this uses the security credentials account to download files that were accessible by said credentials.

There where two misconfigurations
- One was a firewall configuration at the application layer
- The second misconfiguration was the permissions set by financial institution that were likely broader than intended.

The first AWS governance practice that would have prevented such an attack is to use CloudTrail, CloudWatch, and/or AWS lambda services to review and automate specific actions taken on S3 resources.
Second AWS governance practice that would have helped is to ensure each application, EC2 instance, or autoscaling group has its own IAM role. And making sure they do not share roles across unrelated applications.

I'd like to know how long the investigation and report filing took. I understand that they caught the hacker and notified the proper authorities and stakeholders,
Time is a factor so I'd like to know long did it take and is there an industry standard for the time it takes.