chrisdunne.com

The AWS Security Checklist

Do not use IAM Users

Unless there is an external dependency that relies on IAM Users and long lived credentials, do everything in your power to move away from their use.

Chapter
3
Progress
3 of 4
Time
2 min read
Updated
28 Mar 2025

Unless there is an external dependency that relies on IAM Users and long lived credentials, do everything in your power to move away from their use. For principals that are people you should use Amazon Identity Center with short term credentials, and if you are using an external identity provider you can set up federated access with Single Sign On (SSO).

For principals that are services, both internal and external, you should provide access through IAM Roles. Make sure to leverage External IDs within the Trust Policy attached to the role for external access, this will prevent Confused Deputy Vulnerabilities.

For deployment roles you can utilise OpenID Connect OIDC, this can facilitate access through deployment roles which are restricted to only allow them to be assumed within the context of specific repositories in a provider such as GitHub. This is achieved by configuring a trust policy similar to the following on the deployment IAM Role.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Principal": {
               "Federated": "arn:aws:iam::<account_id>:oidc-provider/token.actions.githubusercontent.com"
           },
           "Action": "sts:AssumeRoleWithWebIdentity",
           "Condition": {
               "StringLike": {
                   "token.actions.githubusercontent.com:sub": "repo:<github_organisation>/<github_repository>"
               },
               "ForAllValues:StringEquals": {
                   "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                   "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com"
               }
           }
       }
   ]
}

Don’t forget about permission boundaries, which can be enforced through Service Control Policies (SCP). A permission boundary can allow you to define the maximum permissions a role can have, helping to limit the risk of privilege escalation.

Useful resources