|
8 | 8 |
|
9 | 9 | ### Accounts |
10 | 10 |
|
11 | | -In AWS there is a **root account,** which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them. |
| 11 | +In AWS, there is a **root account**, which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them. |
12 | 12 |
|
13 | 13 | This is very interesting from a **security** point of view, as **one account won't be able to access resources from other account** (except bridges are specifically created), so this way you can create boundaries between deployments. |
14 | 14 |
|
@@ -246,7 +246,7 @@ A boundary is just a policy attached to a user which **indicates the maximum lev |
246 | 246 |
|
247 | 247 | A session policy is a **policy set when a role is assumed** somehow. This will be like an **IAM boundary for that session**: This means that the session policy doesn't grant permissions but **restrict them to the ones indicated in the policy** (being the max permissions the ones the role has). |
248 | 248 |
|
249 | | -This is useful for **security meassures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised. |
| 249 | +This is useful for **security measures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised. |
250 | 250 |
|
251 | 251 | ```bash |
252 | 252 | aws sts assume-role \ |
@@ -327,20 +327,20 @@ AWS Identity and Access Management (IAM) provides **fine-grained access control* |
327 | 327 |
|
328 | 328 | In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) you can find the **IAM ID prefixe**d of keys depending on their nature: |
329 | 329 |
|
330 | | -| Identifier Code | Description | |
331 | | -| ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
332 | | -| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) | |
333 | | - |
334 | | -| ACCA | Context-specific credential | |
335 | | -| AGPA | User group | |
336 | | -| AIDA | IAM user | |
337 | | -| AIPA | Amazon EC2 instance profile | |
338 | | -| AKIA | Access key | |
339 | | -| ANPA | Managed policy | |
340 | | -| ANVA | Version in a managed policy | |
341 | | -| APKA | Public key | |
342 | | -| AROA | Role | |
343 | | -| ASCA | Certificate | |
| 330 | +| Identifier Code | Description | |
| 331 | +| --------------- | ----------------------------------------------------------------------------------------------------------- | |
| 332 | +| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) | |
| 333 | + |
| 334 | +| ACCA | Context-specific credential | |
| 335 | +| AGPA | User group | |
| 336 | +| AIDA | IAM user | |
| 337 | +| AIPA | Amazon EC2 instance profile | |
| 338 | +| AKIA | Access key | |
| 339 | +| ANPA | Managed policy | |
| 340 | +| ANVA | Version in a managed policy | |
| 341 | +| APKA | Public key | |
| 342 | +| AROA | Role | |
| 343 | +| ASCA | Certificate | |
344 | 344 | | ASIA | [Temporary (AWS STS) access key IDs](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) use this prefix, but are unique only in combination with the secret access key and the session token. | |
345 | 345 |
|
346 | 346 | ### Recommended permissions to audit accounts |
@@ -405,7 +405,3 @@ If you are looking for something **similar** to this but for the **browser** you |
405 | 405 | - [https://aws.amazon.com/blogs/aws/introducing-resource-control-policies-rcps-a-new-authorization-policy/](https://aws.amazon.com/blogs/aws/introducing-resource-control-policies-rcps-a-new-authorization-policy/) |
406 | 406 |
|
407 | 407 | {{#include ../../../banners/hacktricks-training.md}} |
408 | | - |
409 | | - |
410 | | - |
411 | | - |
0 commit comments