This repository contains hands-on labs demonstrating advanced AWS Identity and Access Management (IAM) security concepts. Using LocalStack Pro, we simulate a localized AWS cloud environment to practice identity federation, policy evaluation logic, conditional access, and cross-account role assumption without risking real-world cloud environments.
Based on AWS security best practices (SAA-C03), these labs demonstrate:
- IAM Fundamentals: Creating Users, Groups, and attaching Identity-Based Managed Policies.
- Service Roles & Trust Policies: Instead of embedding access keys, we use IAM Roles (Trust Policies + Permissions Policies) to securely grant compute services (like Lambda or EC2) access to other AWS resources.
- Policy Evaluation Logic: Proving that an
Explicit Denyalways overrides anAllow. - Policy Conditions: Restricting the exact types of EC2 instances a user can provision using the
Conditionblock (e.g.,ec2:InstanceType). - Permissions Boundaries: Defining the absolute maximum permissions an IAM entity can have, mitigating the risk of privilege escalation.
- Cross-Account Access & STS: Generating temporary security credentials using
AssumeRolewhile preventing the "Confused Deputy" problem via theExternalIdcondition.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Clone this repository:
git clone https://github.com/awslabs/iam.git cd iam -
Configure your LocalStack Auth Token:
echo "YOUR_TOKEN=your_auth_token_here" > .env -
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative, end-to-end scenario rather than isolated tasks. You are building one evolving architecture as you progress.
Session Persistence: You must run all commands sequentially within the same terminal session. The labs rely on bash variables (like $USER_NAME, $ROLE_ARN, etc.) created in earlier steps. If you close your terminal, these variables will be lost and subsequent labs will fail.