Category: AWS

IAM Permission Boundaries

How can I use permissions boundaries to limit the scope of IAM users and roles, and also prevent privilege escalation?

Original: https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/

Resolution

Use the following example IAM policy to provide these restrictions:

  • Any IAM principal created by IAM admins can have full access to AWS resources. The full access to AWS resources depends upon the identity-based policies because permissions boundaries don’t provide permissions on their own.
  • The policy restricts IAM principals from accessing AWS Billing and Cost Management related services.
  • IAM principals can’t alter the permissions boundary to allow their own permissions to access restricted services.
  • IAM admins can’t create IAM principals with more privileges than they already have.
  • The IAM principals created by IAM admins can’t create IAM principals with more permissions than IAM admins.

Save this policy as a managed policy named ScopePermissions. Replace YourAccount_ID with your account ID.

 

 

AWS Shared Responsibility Model

From the AWS Well-Architected Framework, the Security Pillar, is the AWS Shared Responsibility Model

Overview of the AWS shared responsibility model

 

AWS Service costs: S3

Welcome to the first of the “AWS Service costs”-Series.

This is a fairly easy one: S3

Amazon S3 is a cloud object storage.

The answer to the question:

Can I test this "AWS service" service without paying a lot of money?
Yes, you can.