> For the complete documentation index, see [llms.txt](https://docs.0xrushi.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.0xrushi.xyz/cloud-security/aws-basics.md).

# AWS BASICS

## Core Concepts

| Concept          | What it is                                                              |
| ---------------- | ----------------------------------------------------------------------- |
| **User**         | Human identity. Has long-term access keys (`AKIA...`).                  |
| **Group**        | Collection of users. Policies attach to groups, users inherit.          |
| **Role**         | Assumed temporarily. No permanent creds. Used by EC2, Lambda, services. |
| **Policy**       | JSON document defining Allow/Deny for actions on resources.             |
| **Trust Policy** | Defines *who* can assume a role. Separate from permission policy.       |
| **STS**          | Issues temporary credentials when you assume a role.                    |
| **ARN**          | <p></p><p></p><p>Unique identifier for any AWS resource.</p>            |

### IAM Deep Dive

#### Policy JSON — how to read it

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

```

| Field       | Meaning                                                                   |
| ----------- | ------------------------------------------------------------------------- |
| `Effect`    | `Allow` or `Deny`. **Deny always wins** over Allow.                       |
| `Action`    | API call e.g. `s3:GetObject`. Wildcard `s3:*` = all S3. `*` = everything. |
| `Resource`  | Which AWS resource. `*` = all resources. That's the jackpot.              |
| `Condition` | Optional constraints (IP, MFA, time). Sometimes bypassable.               |

#### Managed vs Inline Policies

* **Managed** — reusable, attachable to multiple identities. AWS has built-ins like `AdministratorAccess`.
* **Inline** — embedded in one user/role. Harder to find. Often overlooked by defenders AND attackers.

#### Dangerous permissions to hunt for

| Permission                          | Why it's dangerous                         |
| ----------------------------------- | ------------------------------------------ |
| `iam:*` on `*`                      | Full IAM control                           |
| `iam:CreatePolicyVersion`           | Rewrite any existing policy to grant admin |
| `iam:AttachUserPolicy`              | Attach AdministratorAccess to yourself     |
| `iam:PassRole` + `lambda:*`         | Create Lambda running as any role          |
| `iam:PassRole` + `ec2:RunInstances` | Launch EC2 with admin role → IMDS creds    |
| `iam:UpdateAssumeRolePolicy`        | Modify trust policy → assume any role      |
| `iam:CreateAccessKey`               | Create keys for another user               |
| `sts:AssumeRole` on `*`             | Assume any role in account                 |
| `secretsmanager:GetSecretValue`     | Read all stored secrets                    |

### Credentials & How They Work

#### Types of credentials

| Type             | Prefix    | Expires?               | Where found                                |
| ---------------- | --------- | ---------------------- | ------------------------------------------ |
| Long-term (user) | `AKIA...` | Never (unless rotated) | `~/.aws/credentials`, env vars, code       |
| Temporary (role) | `ASIA...` | Yes (1–12 hrs)         | IMDS, STS response, env vars in Lambda/ECS |

Where credentials live (attacker perspective)

```shellscript
~/.aws/credentials          # local aws config
~/.aws/config               # profiles
env | grep AWS              # environment variables
/proc/1/environ             # process environment (Linux)
http://169.254.169.254/...  # EC2 IMDS (from inside EC2)
terraform.tfstate           # terraform state files — goldmine
.env files                  # developer mistakes
CI/CD logs                  # leaked in build output
Docker image layers         # baked-in secrets
GitHub/GitLab repos         # hardcoded keys
```

#### Using stolen credentials

```shellscript
# Set as environment variables
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=wJalrXUt...

# For temporary creds (role), also set token
export AWS_SESSION_TOKEN=FwoGZXIvYX...

# Verify they work
aws sts get-caller-identity
```

### STS — Security Token Service

STS handles role assumption and temporary credential issuance.

```shellscript
# Assume a role
aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/AdminRole \
  --role-session-name my-session
```

### IMDS — Instance Metadata Service

EC2 instances query `http://169.254.169.254` to get their own metadata including attached IAM role credentials. **Only reachable from inside the EC2** — but SSRF vulns on web apps can proxy the request.

#### IMDSv1 (no auth — legacy)

```shellscript
# Get role name
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Get credentials for that role
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
```

#### IMDSv2 (requires token first)

```shellscript
# Step 1: get token
TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" \
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

# Step 2: use token to get role name
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Step 3: get creds
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
```

#### Other useful IMDS endpoints

```shellscript
# Instance ID, type, region
curl http://169.254.169.254/latest/meta-data/instance-id
curl http://169.254.169.254/latest/meta-data/placement/region

# User-data script (often has secrets/passwords)
curl http://169.254.169.254/latest/user-data
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.0xrushi.xyz/cloud-security/aws-basics.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
