re:Invent session SEC207
re:Invent slides here
Michael Chan mchancloud
mchancloud
/ aws-identity-hands-resources.md
Created
February 13, 2020 20:13
Handy AWS Identity resources
List of handy resources here!
mchancloud
/ aws-identity-post-reinforce-2019.md
Last active
February 20, 2020 15:15
AWS Identity post re:Inforce 2019 launches, sessions, and blogs
Are you one of the many who didn't have a chance to go to re:Invent 2019? Here's a curated list of second-half 2019 AWS Identity sessions and related blogs. Use this to help you assess if these new features are right for you! Also check out the AWS Identity keynote, where you'll hear how the identity space has evolved and how AWS is making identity, access control, and resource management easier for everyone.
- Manage access to AWS centrally for Azure AD users with AWS Single Sign-on
- Watch the 2019 re:Invent session SEC308 or view the [slides](https://d1.awsstatic.com/events/reinvent/2019/Ma
mchancloud
/ role-session-name-is-principal-tag.txt
Created
April 22, 2020 14:44
enforcing the role session name as principal tag
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AllowAssumeRoleIfSessionNameEqualsAccessProjectSessionTagValue", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "arn:aws:iam::123456789012:root" | |
| }, | |
| "Action": "sts:AssumeRole", |
mchancloud
/ aws-foundational-security-best-practices-controls.txt
Last active
April 24, 2020 19:36
AWS Security Hub - AWS Foundational Security Best Practices controls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ACM.1] Imported ACM certificates should be renewed within 90 days of expiration | |
| [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-region trail | |
| [CloudTrail.2] CloudTrail should have encryption at-rest enabled | |
| [CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth | |
| [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials | |
| [Config.1AWS] Config should be enabled | |
| [EC2.1] EBS snapshots should not be public, determined by the ability to be restorable by anyone | |
| [EC2.2] The VPC default security group should not allow inbound and outbound traffic | |
| [EC2.3] Attached EBS volumes should be encrypted at-rest | |
| [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS |
mchancloud
/ abac-scp-guardrails-examples.txt
Last active
March 8, 2023 18:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // A simple example protecting the tags on IAM principals. Here, only an admins with an "is_admin:true" | |
| // tag key/value pair can modify a tag on an IAM principal. | |
| // | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "DenyModifyingIamAdminTag", | |
| "Effect": "Deny", |