☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • Types of AWS Principals
  • Principal Element in AWS Policies
  • Trust Policies and Principals
  1. AWS Fundamentals

AWS Principals

Overview

In AWS, a principal refers to an entity that can make requests to perform actions on AWS resources. It plays a crucial role in AWS Identity and Access Management (IAM) and defines who or what is allowed to interact with a service or resource. AWS uses principals to implement access control by ensuring that only authorized entities can access resources.

Principals can be users, roles, services, or applications—anything that can authenticate and obtain permissions to interact with AWS resources. Let’s dive deeper into the types and concepts around AWS principals.

Types of AWS Principals

  1. IAM User

  2. IAM Role

  3. Federated User

  4. AWS Service

  5. Anonymous User (Unauthenticated Principal)

1. IAM User Principal

  • An IAM user is a human identity that is created within the AWS account.

  • It typically represents an individual person or an application that requires long-term access to AWS resources.

  • IAM users can have access keys, passwords, and multi-factor authentication (MFA) configured to authenticate.

Example Use Case: A DevOps engineer with an IAM user account can interact with the AWS CLI to manage infrastructure.

Example Policy Snippet:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123456789012:user/JohnDoe"
  },
  "Action": "s3:ListBucket",
  "Resource": "arn:aws:s3:::my-bucket"
}

This policy grants the user JohnDoe permission to list the contents of an S3 bucket.

2. IAM Role Principal

  • An IAM role is a temporary identity intended for trusted entities like users, applications, or services that need access to AWS resources.

  • Roles are used when short-term access to AWS resources is preferred over long-term credentials.

  • Roles can be assumed by other AWS services, users from other accounts, or federated users.

Example Use Case: An EC2 instance assumes a role to read from an S3 bucket without hard-coding credentials.

Example Policy Snippet:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123456789012:role/EC2ReadOnlyRole"
  },
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::my-bucket/*"
}

This policy allows the EC2ReadOnlyRole to read objects from a specific S3 bucket.

3. Federated User Principal

  • Federated users are identities from an external identity provider (IdP) such as Microsoft Active Directory, Google Workspace, or Okta. These identities can temporarily assume AWS roles to access resources within AWS.

  • AWS supports SAML 2.0 or OIDC-based identity federation.

Example Use Case: An employee signs in via their company's Active Directory and accesses AWS services without a dedicated IAM user account.

Example Policy Snippet:

{
  "Effect": "Allow",
  "Principal": {
    "Federated": "arn:aws:iam::123456789012:saml-provider/Okta"
  },
  "Action": "sts:AssumeRoleWithSAML",
  "Resource": "arn:aws:iam::123456789012:role/S3AccessRole"
}

This policy allows a federated user from Okta to assume the S3AccessRole.

4. AWS Service Principal

  • Some AWS services need to interact with other AWS resources on behalf of the user. AWS services like Lambda, EC2, or CodeBuild act as service principals.

  • When these services need access to other AWS resources, they assume roles associated with them.

Example Use Case: A Lambda function assumes a role to write logs to CloudWatch or store data in DynamoDB.

Example Policy Snippet:

{
  "Effect": "Allow",
  "Principal": {
    "Service": "lambda.amazonaws.com"
  },
  "Action": "sts:AssumeRole",
  "Resource": "arn:aws:iam::123456789012:role/LambdaExecutionRole"
}

This policy allows the Lambda service to assume the LambdaExecutionRole.

5. Anonymous User (Unauthenticated Principal)

  • An anonymous user represents any unauthenticated identity—essentially, a request from the internet without any credentials.

  • This is commonly seen in public S3 buckets or API Gateway endpoints that do not require authentication.

Example Use Case: A public website is hosted on an S3 bucket, accessible to anyone without authentication.

Example Policy Snippet:

{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::my-public-bucket/*"
}

This policy allows anyone (including anonymous users) to read objects from the S3 bucket.

Principal Element in AWS Policies

In AWS IAM policies, the Principal element specifies who the policy applies to. Depending on the use case, the Principal element can reference different types of identities:

  • AWS User or Role: AWS key followed by an ARN (Amazon Resource Name).

  • Federated User: Federated key referencing an external identity provider.

  • Service Principal: Service key representing an AWS service.

  • Anonymous User: Using * to indicate any identity (including unauthenticated users).

Example:

"Principal": {
  "AWS": "arn:aws:iam::123456789012:user/JohnDoe"
}

Trust Policies and Principals

  • Trust policies define which principals can assume a role or access specific resources.

  • They are typically used with IAM roles, allowing other AWS services or users to assume a role and perform actions.

Example Trust Policy for an EC2 role:

code{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This policy allows EC2 instances to assume the role.

PreviousOrganizational HierarchyNextIAM Fundamentals

Last updated 8 months ago