AWS Access Keys

• AWS IAM users can have up to 2 sets of access keys

• Consider creating a second pair after compromising the first so that you have a backup if the first keys get burned

# list all iam access keys for a user
aws iam list-access-keys --user-name <iamUserName> --profile <awsProfile>

# create iam access keys
aws iam create-access-key --user-name <iamUserName> --profile <awsProfile>

AWS Trust Policies

• Consider accessing an IAM Role, which can function across AWS accounts

• Even if you lose direct access to the target account, you can still assume the role from another account if you've modified the role's Trust Policy

# assume an iam role
aws sts assume-role --role-arn <arnIamRole> --role-session-name <whatever> --profile <awsProfile>

AWS Vulnerable Trust Policies

• Poorly written IAM policies can lead to unintended behavior

• Consider this policy which allows the Lambda service from any AWS account to assume this role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
	  "AWS": "*",
	  "Service": "lambda.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }
  ]
}