AWS IAM Security
The cluster focuses on discussions about AWS IAM's security features, best practices like using roles and short-lived credentials instead of root keys, potential vulnerabilities, and debates on its complexity and effectiveness.
Activity Over Time
Top Contributors
Keywords
Sample Comments
I feel like the potential to abuse this is pretty low but AWS will ‚fix’ this and make IAM even harder
Do you realize that your AWS account can be compromised without something like this?
AWS IAM is no different.https://news.ycombinator.com/item?id=24498678
Enable two factor auth on your AWS account. Chances of fraud quickly approach zero unless your AWS API creds are leaked. You should always be using an IAM account that has only the privileges your application requires.
This happens very often. Like many others have recommended, disable the global AWS keys and use roles.
Only if you give it unfettered accesss. AWS has an API called AssumeRole which can generate short-lived credentials with a specifically scoped set of permissions, which I use instead.
Isn't this a huge security hole in AWS?
This looks very cool. Is there a story for managing users associated with AWS IAM roles or users?
It’s a security disaster, you have to give developers aws admin in order to use it. At least that’s how it used to be. I stood it up in a separate account for this reason.
Uhm.. in the AWS i've used, it's on explicit allow, and all of their docs and tutorials start with IAM and what's needed and why. What more do you want? I can't imagine IAM being simpler while being as granular as it is. You just have to actually take the time to learn about it, like every system. It's still drastically easier to use it securely than doing something on a similar scale and detail manually.