Identity and Access Management — users, roles, policies, federated identity

↳ Wildcard policies (*:*) are catastrophic. AssumeRole + sts:AssumeRoleWithWebIdentity = federated trust path.

Security Token Service — temporary credentials via AssumeRole

↳ Session tokens are bearer credentials. Look for unusual sts:GetCallerIdentity in CloudTrail.

Multi-account management, SCPs (Service Control Policies)

↳ SCPs apply to root user too. Cross-account trust paths are key for privesc.

Formerly AWS SSO — workforce identity federation

↳ Permission sets bound to OUs/accounts. Common federation entry from Okta/Entra/Google.

Elastic Compute Cloud — virtual machines

↳ Instance metadata (IMDSv1/v2) — SSRF can steal role creds. Always require IMDSv2.

Serverless functions

↳ Execution role inherits permissions. Dependency confusion + role escalation = supply chain.

Container orchestration (managed and serverless)

↳ Task role + execution role distinct. Task IMDS available unless explicitly blocked.

Managed Kubernetes

↳ IRSA maps K8s service accounts to IAM roles. RBAC misconfig + node IMDS = cluster-wide compromise.

Simple Storage Service — object storage

↳ Block Public Access at account + bucket level. ACLs + bucket policy + IAM = three overlapping control planes.

Elastic Block Store — block volumes for EC2

↳ Snapshots can be made public. CreateSnapshot + ModifySnapshotAttribute is a classic exfil chain.

Elastic File System — managed NFS

↳ Mount target SGs control access. Often forgotten in network reviews.

Relational Database Service

↳ CreateDBSnapshot → ShareDBSnapshot to attacker account = data exfil. Public RDS instances frequent.

Managed NoSQL key-value / document store

↳ IAM-based access. Streams + EventBridge = audit but expensive.

Encrypted secret storage with rotation

↳ GetSecretValue events surface in CloudTrail. Cross-account sharing via resource policy.

Systems Manager Parameter Store — config + SecureString

↳ Cheaper than Secrets Manager. SecureString uses KMS. GetParameter is logged.

Key Management Service — symmetric/asymmetric keys

↳ Key policies and grants. CMK with overly broad principal = decrypt-anywhere.

API audit log

↳ Management events on by default. Data events (S3 GetObject, Lambda Invoke) opt-in. Multi-region and Org Trail recommended.

Log aggregation and metrics

↳ Subscription filters → Lambda/Kinesis. Retention default infinite if not set.

Threat detection — VPC flow + DNS + CloudTrail anomalies

↳ Findings into Security Hub. Severity 7+ usually merits page.

Resource compliance and configuration history

↳ AWS-managed rules + custom Lambda rules. Conformance packs map to CIS/NIST.

EC2/ECR/Lambda vulnerability scanning

↳ Inspector v2 covers OS + application packages. CVE-based.

Investigation graph for GuardDuty findings

↳ Visualizes IAM session activity and inter-resource interactions.

Virtual Private Cloud — networking primitives

↳ Flow logs at VPC, subnet, or ENI level. Default VPCs in every account at creation.

DNS service

↳ Resolver query logs feed CloudWatch. Subdomain takeover via dangling records is classic.

REST/HTTP/WebSocket API frontend

↳ Resource policies, IAM auth, Cognito, Lambda authorizers. Often misconfigured to allow * principal.