Further details on privilege escalation for cross-account role assumption — I’ve gotten some responses to my article where I argue that cross-account role trust policies should trust accounts, not principals within the accounts. A lot of them took the form of “it provides an extra layer of defense” along with “it can’t hurt”. I think I adequately covered why it…

Your role’s trust policy should be representative of the security boundary and not give a false sense of security. — In my article on IAM principals, I mentioned that when creating a cross-account role trust policy, it’s generally better to trust the entire account, rather than a particular principal within that account. I got some questions on why, so here are the details! Note: there’s a follow-up to this article…

Please, I’m begging you — learn about how the AWS CLI and SDK retrieve and refresh credentials. There are such good options! — We need to talk about how AWS credential configuration works. Many people have more than one IAM principal that they use on a regular basis, most likely because of multiple accounts, though they may also have multiple principals available to them within a given account. The ways I see a…

Resource policies can unilaterally grant access, even if it isn’t within the permissions boundary — AWS IAM Permission Boundaries Has A Caveat That May Surprise You Note: this article was originally published on September 1, 2021. It erroneously stated that the resource policy could reference the role, rather than the assumed role session. I removed it pending an update. The confusion, complexity, and poor documentation led me to publish I Trust AWS IAM to Secure My…

We need better AWS IAM documentation so that we can confidently and successfully use the extensive power of IAM to gain the security we… — AWS IAM operates at an immense scale, more than 400 million operations per second, and the stakes are frankly terrifying; a substantial portion of the internet runs on AWS, and access to those resources is regulated by IAM. I’m therefore glad that the people who design and run IAM are…

This article explains the basics of AWS authentication: the way you gain an identity that you can use to access AWS services — Note: this article uses the boto3, the AWS Python SDK, as an example, but other SDKs have analogous features. I’ve found that newcomers to AWS can sometimes get confused by what it means to have AWS credentials, and that people have notions of “logging into AWS” that don’t really correspond…

Line continuations should be avoided in code, but are useful in this case! — You’re writing some Python, and you need to write out a string containing newlines. You’ve got two options: a regular string with \n in it, or a multi-line string literal using three double quotes (are those sextuple quotes?), which looks like this: my_string = """This is a multi-line string""" assert…

AWS needs an identity that uniquely represents its users, not fractured across corporate identity providers. — My name is Ben Kehoe. I’m an AWS Serverless Hero. I’ve spoken at re:Invent. I meet regularly with teams across AWS. I’m followed by @awscloud on Twitter. But AWS doesn’t know who I am. On GitHub, I’m benkehoe. I’m benkehoe when I’m building personal projects like aws-whoami, and I’m benkehoe…

We shouldn’t aim for one serverless compute model to rule them all. A handful of different models will make better tradeoffs. — In 2018, AWS Lambda increased the maximum time a function can run from 5 minutes to 15 minutes. This was a great thing! Ever since then, people have been asking for another increase. And while I am fully on board with the need for serverless compute for longer workloads, I…