IAM
- curl http://169.256.169.254/latest/meta-data/iam/security-credentials whill show current role
- curl http://169.256.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME will give current security-credentials
IAM Boundaries
- Denies the action if something is out of Boundaries
- A separated iam policy just to define Boundaries
Policy evaluation top-down
- Explicit deny
- SCP
- Resource independent policies
- Session policies
- Identity policies
Tips
- Invalidate existing sessions:
- Attach an iam role
- Apply a Revoke Policy based on a date (iam policy conditional)