1. ⭐️ 1/ Identify IAM Threat Vectors
    1. Root ID Compromise
    2. Credential Leekage
      1. Credential theft
      2. Credentials (SAML, Keys (long term or sts)
    3. Excessive Permissions
      1. Identify Excessive Permissions - (Access Advisor)
    4. Insecure Configurations
      1. Not enforcing IMDSV2
      2. Storing API and Access Keys in Plain Text
    5. Stealing Instance Profile Credentials
    6. Privilege Accumulation
      1. Employee Accumulating Permissions over time
    7. Privilege Escelation
      1. Role Chaining
      2. Lateral Movement (Across Accounts / Environments)
    8. Dormant Identities
      1. Employee Leaving Company
    9. Confused Deputy Attack
      1. Service Provider end
    10. Exploit Trust Configurations
      1. IAM Federation or Identity Center (SSO)
    11. Backdoors
      1. Do you know your Identity Sources?
      2. Bypass External (primary) authentication system
    12. Non Repudiation
      1. Generic IDs
    13. Un-Monitored Logs and Events
      1. CloudTrail Logs
      2. GuardDuty alerts
  2. 2/ Know Identity Source (AuthN)
    1. Identity of ?
      1. Human
      2. Machine
    2. Identity Sources
      1. IAM Users
      2. IAM Federation
        1. External - Via Trust
      3. AWS SSO - AWS Directory
      4. AWS SSO with External Identity - Via Trust
      5. Amazon Cognito (Web Identities)
      6. IAM Role (Trust + Permissions)
      7. API Gateway - Access Keys
      8. IAM Anywhere via Private CA
  3. 3/ Identify Entry Points (AuthZ)
    1. Policies
      1. AWS Managed
      2. Customer Managed
      3. Inline
    2. Permission Sets
    3. Group
      1. Container of Users
      2. Source of Permission via Association
  4. 4/ Adopt IAM Best practices
    1. Credential Leekage
    2. Compromised Password (No MFA)
    3. Overly permissive Policies
      1. IAM *
      2. KMS*
      3. *.*
    4. Privilege Escalation
    5. Rouge Identity Source
    6. Hard coded Credentials
    7. ...
  5. 5/ IAM Visibility Aspects & Tools
    1. Identity
    2. Permission
    3. Actual Usage
      1. Expected Usage
      2. Anomalous Usage
    4. AWS Native & Open Source Tools
      1. AWS Config
      2. AWS Config Advance Queries
      3. Access Advisor
      4. Access Analyzer
      5. Prowler
      6. ScoutSuite
      7. Cloudtrail -> Athena
  6. 6/ Question one should ask to gain Visibility
    1. Root Users (MFA, Locked in case of Org , Access Keys)
    2. Do you know your Identity Sources?
    3. Password Policy and MFA
    4. Look for any identities trusted in ROLE (e.g arn::aws::iam:<account_id>:root) - EXTERNAL IDENTITY
    5. List all identities that have sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithOIDC permission
    6. How many IAM Users / Roles
    7. Get list of lambda and Instance Profiles across all regions in a all accounts
    8. How many Access Keys Issued and Last Rotated
    9. How many Overly permissive Exist
    10. Identify Dangerous Permissions
    11. List of EC2 running IMDSv1
    12. List of API Gateways and API keys issued