Cloud Identity and Access Management (IAM) with AWS

Identity and Access Management (IAM) lets administrators authorize who can take action on specific resources, giving you full control and visibility to manage Google Cloud resources centrally.

In IAM thre are 3 steps: 1.Provisioning; 2.Review; 3.Revocation

AWS IAM

Authentication - Logggings (Who?) Authorization - What people are alloed to do (What?)

IAM objects:

• Users
• Groups
• Roles
• Policies (JSON Documents)

AWS Policies

Inline Policy - Is a policy created for a single IAM identity (a user, group, or role). Managed Policy - A customer managed policy is a standalone policy that you administer in your own AWS account.

Questions

• What were the three commands used for the attack?

$ aws s3 ls $ aws s3 sync s3://somebucket $ aws s3 is

• What misconfiguration of AWS components allowed the attacker to access sensitive data?

A misconfiguration error at the application layer of a firewall installed by Financial Institution, exacerbated by permissions set by Financial Institution that were likely broader than intended.

• What are two of the AWS Governance practices that could have prevented such attack?

Firstly, the use of CloudTrail, CloudWatch, and/or AWS lambda services to review and automate specific actions taken on S3 resources. And ensure each application, EC2 instance, or autoscaling group has its own IAM role, for example. Do not share roles across unrelated applications.

Important Concepts

Privilege Escalation - Is a cyberattack designed to gain unauthorized privileged access into a system. SSRF (Server Side Request Forgery) - Is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

PDF for the questions : https://www.zscaler.com/resources/white-papers/capital-one-data-breach.pdf