AWS IAM explained, identities, roles, policies, attack paths

Why AWS IAM explained matters

Almost every documented AWS breach since 2018 has IAM at the centre, over-broad roles, AWS-managed policies attached to production workloads, IAM users with long-lived access keys committed to GitHub, or cross-account trust policies with `Principal: "*"`. IAM is where compromise turns into impact.

Common mistakes with AWS IAM explained

• Attaching `AdministratorAccess` to roles that need three actions.
• Using IAM users with long-lived access keys for CI/CD instead of OIDC + assumable roles.
• Cross-account trust policies that name `Principal: "*"` and rely solely on `sts:ExternalId`.
• Forgetting that `iam:PassRole` is what turns service-assumption into privilege escalation.

How attackers exploit AWS IAM explained

Public S3 → access key in object → attacker uses key → assumes role with `iam:*` → creates new admin role → persists as admin even after the original key is rotated. Every step is an IAM decision.

Related articles

• What Is Cloud Security?
• Secrets Management Best Practices
• Cloud Complexity Is Usually Organizational Complexity
• Most Security Programs Optimize for Auditability, Not Reality

Related concepts

• What is least privilege?, the cloud security principle
• AWS S3 security explained, public access, encryption, attack chains
• How to secure an AWS S3 bucket, the actual checklist
• AWS KMS explained, what it is and how to use it safely

Recommended learning paths

• AWS Security Best Practices
• Cloud Security Fundamentals
• Enterprise Cloud Security Architecture

Hands-on labs

• Hands-On: Multi-Cloud Security