MMNA
Module 2 / 3
π AWS SECURITY ENGINEERING
IAM Misconfigurations & Hardening Strategies
Learn to identify and eliminate common IAM misconfigurations. Master the principles and tactical patterns that transform weak IAM into enterprise-grade security architecture.
β οΈ COMMON MISCONFIGURATIONS
Common IAM Misconfigurations
These patterns appear in 90% of organizations. Fixing them is the foundation of IAM hardening.
1. Wildcard Permissions (iam:*, s3:*, *)
Policies that grant broad permissions using wildcards are the most dangerous
misconfiguration.
β PROBLEM: Developer role with "iam:*" can create new admin roles and assume them. Full
privilege escalation with a single compromised credential.
{ "Effect": "Allow", "Action": "iam:*", "Resource": "*" }
β SOLUTION: Replace wildcards with explicit actions. Developer only needs to assume their
specific role.
{ "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource":
"arn:aws:iam::ACCOUNT:role/Developer" }
2. Lack of MFA Enforcement
Not requiring MFA for sensitive operations leaves accounts vulnerable to credential theft.
β PROBLEM: IAM user with access keys (no MFA required) gets compromised. Attacker has
instant full accessβno second factor to block them.
// Vulnerable: No MFA condition { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }
β SOLUTION: Require MFA for all sensitive operations (console access, role assumption,
credential management).
{ "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*", "Condition": { "Bool":
{"aws:MultiFactorAuthPresent": "true"} } }
3. Role Chaining Without Visibility
Allowing unlimited role chaining creates lateral movement paths that are difficult to audit
and contain.
β PROBLEM: Lambda role can assume any cross-account role (wildcard in AssumeRole principal).
Attacker uses Lambda to chain through 5+ roles to reach admin in another account.
{ "Effect": "Allow", "Principal": "*", "Action": "sts:AssumeRole" }
β SOLUTION: Explicit role chaining. Lambda can assume ONLY specific roles needed for its
function.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT1:role/Lambda" }, "Action":
"sts:AssumeRole" }
4. Over-Permissioned Service Roles
Service roles (EC2, Lambda, ECS) with excessive permissions become targets for exploitation.
β PROBLEM: EC2 instance role has "s3:*" on all buckets. Attacker exploits EC2 vulnerability,
gains role credentials, exfiltrates entire S3 data lake.
β SOLUTION: Least-privilege service roles. EC2 only gets explicit S3 buckets and actions it
actually needs.
{ "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [
"arn:aws:s3:::app-bucket/logs/*" ] }
5. Wildcard Trust Relationships
Role trust policies allowing any principal in an account (or any account) to assume the
role.
β PROBLEM: Role trust allows "Principal": "*" or any AWS account. Malicious actor from
outside your organization assumes your sensitive role.
{ "Effect": "Allow", "Principal": "*", "Action": "sts:AssumeRole" }
β SOLUTION: Explicit trust relationships. Only specific principals (users, services,
cross-account roles) can assume sensitive roles.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/specific-user" },
"Action": "sts:AssumeRole" }
6. No Session Duration Limits
Session tokens without expiration or duration limits allow indefinite access after
compromise.
β PROBLEM: Service role with 12-hour session duration. Attacker obtains session token. Can
operate for full 12 hours undetected.
β SOLUTION: Short session durations (1 hour max). Forces credential refresh and limits
window of exposure.
// Set max session duration to 1 hour (3600 seconds) { "MaxSessionDuration": 3600 }
π‘οΈ HARDENING PRINCIPLES
IAM Hardening Principles
Transform IAM from a security liability into an impenetrable access control system.
π―
Principle 1: Least Privilege
Grant ONLY the minimum permissions needed for a principal to perform its function. Start with zero permissions. Add only explicit, required actions. Default to deny.
βοΈ
Principle 2: Policy Segmentation
Break permissions into focused policies by role, environment, and function. Separate read-only from write permissions. Separate management from operational access.
π
Principle 3: Regular Access Reviews
Audit permissions monthly. Remove unused roles and principals. Update policies as job functions change. Document justification for each permission.
βοΈ Least Privilege Architecture Pattern
Step 1: Define the Job Function
Document EXACTLY what the principal needs to do. Example: "Lambda function that reads from S3 bucket X and writes CloudWatch logs."
Document EXACTLY what the principal needs to do. Example: "Lambda function that reads from S3 bucket X and writes CloudWatch logs."
Step 2: Map to AWS Actions
Convert functional requirements to specific IAM actions. Example: s3:GetObject, logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents.
Convert functional requirements to specific IAM actions. Example: s3:GetObject, logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents.
Step 3: Restrict to Resources
Limit actions to ONLY the required resources. Example: Allow s3:GetObject only on "arn:aws:s3:::app-bucket/inputs/*", NOT on all buckets.
Limit actions to ONLY the required resources. Example: Allow s3:GetObject only on "arn:aws:s3:::app-bucket/inputs/*", NOT on all buckets.
Step 4: Add Conditions (When
Applicable)
Time-based restrictions, IP restrictions, MFA requirements, encryption requirements. Example: "Deny S3 DeleteObject unless encrypted with customer-managed keys."
Time-based restrictions, IP restrictions, MFA requirements, encryption requirements. Example: "Deny S3 DeleteObject unless encrypted with customer-managed keys."
Policy Segmentation Strategy
| Policy Type | Purpose | Attachment |
|---|---|---|
| Identity-Based Policies | Define what a principal (user/role) can do | Attached to users, groups, roles |
| Resource-Based Policies | Define who can access a resource (S3 bucket, SQS queue, etc.) | Attached to resources |
| Permission Boundaries | Set max permissions ceiling for a role | Attached to roles as safety guardrail |
| Session Policies | Further restrict permissions during role assumption | Applied when assuming role temporarily |
| SCPs (Service Control Policies) | Organizational-level permission boundaries | Applied to AWS accounts in organization |
π Access Review Checklist (Monthly)
- β List all active IAM users and roles
- β Verify last access date for each principal (CloudTrail)
- β Identify unused roles/users (no activity in 30 days)
- β Review all policies with wildcard permissions (*)
- β Verify MFA is enforced for console access
- β Audit cross-account role trust relationships
- β Check for unused access keys (rotate or delete)
- β Validate service role permissions match documented job functions
- β Test that Deny policies are working as intended
- β Document findings and remediation plan
ποΈ ARCHITECTURE PATTERNS
Secure Architecture Patterns
Industry-proven patterns for deploying IAM at scale without sacrificing security.
π Pattern 1: Multi-Account Security Model
Organize AWS accounts by function (logging, security, development, production, data). This
creates natural boundaries that prevent lateral movement.
Architecture:
[Root Org] β [Security Account] β [Logging + Monitoring]
β [Dev Account]
β [Prod Account] (restricted cross-account access)
β [Data Account] (no internet access)
[Root Org] β [Security Account] β [Logging + Monitoring]
β [Dev Account]
β [Prod Account] (restricted cross-account access)
β [Data Account] (no internet access)
Benefits:
- β Blast radius containment: Compromise in dev doesn't affect prod
- β Clear trust boundaries: Cross-account roles explicitly define allowed access
- β Audit-friendly: Logging centralized in security account
- β Scalable: Add new workloads in new accounts without changing core security
π₯ Pattern 2: Role-Based Security Planning
Create a matrix of roles your organization needs. Define permissions for each role ONCE, then
assign users/services to roles. Simplifies management and reduces errors.
Role Matrix Example:
| Role | Purpose | Key Permissions |
|---|---|---|
| DevOps-Pipeline | CI/CD automation | EC2:Describe*, CodeDeploy:*, S3 artifacts |
| App-Service | Application runtime | RDS:DescribeDB*, S3:GetObject, Secrets:GetSecretValue |
| Security-Audit | Read-only compliance auditing | *:Describe*, *:Get*, *:List* (no write/delete) |
| Admin-Break-Glass | Emergency-only full access | * (but requires MFA + approval log) |
Benefits:
- β Consistency: All devops engineers get same permissions
- β Simplicity: Developers think in roles, not individual actions
- β Compliance: Audit role definitions (not 100 individual policies)
- β Agility: Add new user to role, instant right permissions
π Pattern 3: Privileged Access Workstations (PAW)
For sensitive operations (admin tasks, production changes), use dedicated, hardened workstations
with strong MFA and audit logging.
Implementation:
- β PAW is separate from daily work computer (no email, browsing)
- β Requires hardware MFA (U2F/FIDO2, not SMS)
- β All actions logged to centralized SIEM
- β Access to PAW role itself requires MFA
- β Network isolation: PAW can only reach AWS, not internet
π RESOURCES
External Learning References
Deepen your understanding of IAM hardening with official AWS whitepapers and architecture guides: