The subject of my talk was "IAM Secure, Are You?". I showed some nice "Did you knows". Like did you know that when AWS started in 2006, there was no IAM service and you needed to login with your amazon.com account. And that in 2010 IAM was only programmatically accessible (preview version). And that in 2011 console access was announced and you could login with IAM users into the console instead of your root account.
I explained the basics of IAM, but also things like:
- Identity-based policies vs. Resource-based policies
- Session policies
- Policy conditions
- Policy variables
- RBAC (role-based access control) vs. ABAC (attribute-based access control)
With ABAC you can do things like: if your role tag "job-title" does not equal to Product-Manager you are denied to the production S3 bucket.
I ended with a demo and some best practices. With the demo I explained the IAM decision tree. In the demo I created a IAM read-only identity-based policy and attached this policy to a demo role. I also created a SQS queue with a send-only resource-based policy for this role. I then sent a message onto the SQS queue as an admin user and assumed the demo role. With this demo role I tried polling the message. I asked the audience wether the polling (read) request would succeed while the role uses read permission, but the queue only has send permissions. The result was that the polling succeeded, which led to some confusion :-D, but I did this on purpose.