AWS IAM Forensics & Incident Response

Forensic Labs
5 min readMar 23, 2023

Continuing our series on Cloud Forensics & Incident Response, we’ve now posted the third video in our series.

It’s titled “AWS IAM Forensics & Incident Response” and you can watch it in YouTube now:

We’ve built a platform to perform incident response and forensics in AWS/Azure/GCP — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

What are… Cloud security incident domains?

Service domain — Incidents in the service domain might affect your AWS account, AWS Identity and Access Management (IAM) permissions, resource metadata, billing, or other areas. A service domain event is one that you respond to exclusively with AWS API mechanisms, or where you have root causes associated with your configuration or resource permissions, and might have related service-oriented logging.

Infrastructure domain — Incidents in the infrastructure domain include data or network-related activity, such as processes and data on your Amazon Elastic Compute Cloud (Amazon EC2) instances…

Application domain — Incidents in the application domain occur in the application code or in software deployed to the services or infrastructure…

From/See “AWS Security Incident Response Guide”

What is AWS IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.

With IAM, you can centrally manage permissions that control which AWS resources users can access.

You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

What is the IAM workflow?

The IAM workflow includes the following six elements:

  • A principal is an entity that can perform actions on an AWS resource. A user, a role or an application can be a principal.
  • Authentication is the process of confirming the identity of the principal trying to access an AWS product.
  • Authorization is the process of granting or denying access to AWS resources.
  • Policies are documents that define permissions for a principal.
  • A resource is an AWS entity that the principal can access.
  • A request is an attempt to access an AWS resource

What are Policies?

In AWS Identity and Access Management (IAM), policies are used to define permissions for an action regardless of the method that you use to perform the operation. There are six types of policies that AWS supports: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.

Identity-based policies are the most common type of policy and are attached to an IAM identity (user, group, or role) or an AWS account. Resource-based policies are attached to a resource, such as an Amazon S3 bucket or an Amazon SQS queue.

You can create your own policies or use AWS managed policies. AWS managed policies are created and managed by AWS, whereas customer managed policies are created and managed by you.

How does IAM Work?

From “AWS Identity and Access Management (IAM) deep dive” by Becky Weiss @ AWS

Great talk!

What is Identity Federation?

“If you already manage user identities outside of AWS, you can use IAM identity providers instead of creating IAM users in your AWS account. With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory.”

“How to Establish Federated Access to Your AWS Resources by Using Active Directory User Attributes” —

What AWS IAM Logging is there?

AWS CloudTrail captures all API calls for IAM and AWS STS as events, including calls from the console and API calls.

AWS Identity and Access Management Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This helps you identify unintended access to your resources and data, which is a security risk.

Also check-out the policy simulator

How do I block access in AWS IAM?

See “Identity & Access Management” in AWS Well-Architected Labs

See “Incident_Response_Playbook_AWS_IAM” Jupyter Notebook for how to investigate IAM/CloudTrail

AWS IAM in Cado Response