This repository contains hands-on labs demonstrating advanced AWS Identity and Access Management (IAM) security concepts. Using LocalStack Pro, we simulate a localized AWS cloud environment to practice identity federation, policy evaluation logic, conditional access, and cross-account role assumption without risking real-world cloud environments.
Based on AWS security best practices (SAA-C03), these labs demonstrate:
- IAM Fundamentals: Creating Users, Groups, and attaching Identity-Based Managed Policies.
- Service Roles & Trust Policies: Instead of embedding access keys, we use IAM Roles (Trust Policies + Permissions Policies) to securely grant compute services (like Lambda or EC2) access to other AWS resources.
- Policy Evaluation Logic: Proving that an
Explicit Denyalways overrides anAllow. - Policy Conditions: Restricting the exact types of EC2 instances a user can provision using the
Conditionblock (e.g.,ec2:InstanceType). - Permissions Boundaries: Defining the absolute maximum permissions an IAM entity can have, mitigating the risk of privilege escalation.
- Cross-Account Access & STS: Generating temporary security credentials using
AssumeRolewhile preventing the "Confused Deputy" problem via theExternalIdcondition.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Clone this repository:
git clone https://github.com/awslabs/iam.git cd iam -
Configure your LocalStack Auth Token:
echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative, end-to-end scenario rather than isolated tasks. You are building one evolving architecture as you progress.
Session Persistence: You must run all commands sequentially within the same terminal session. The labs rely on bash variables (like $USER_NAME, $ROLE_ARN, etc.) created in earlier steps. If you close your terminal, these variables will be lost and subsequent labs will fail.
- Lab 1: IAM Fundamentals (Users, Groups, & Policies)
- Lab 2: Service Roles & Trust Policies
- Lab 3: Policy Evaluation Logic (Explicit Deny)
- Lab 4: Policy Conditions (Attribute-Based Access Control)
- Lab 5: Permissions Boundaries
- Lab 6: Cross-Account Access & STS AssumeRole
💡 Pro Tip: Using aws instead of awslocal
If you prefer using the standard aws CLI without the awslocal wrapper or repeating the --endpoint-url flag, you can configure a dedicated profile in your AWS config files.
Add the following to your ~/.aws/config file:
[profile localstack]
region = us-east-1
output = json
# This line redirects all commands for this profile to LocalStack
endpoint_url = http://localhost:4566Add matching dummy credentials to your ~/.aws/credentials file:
[localstack]
aws_access_key_id = test
aws_secret_access_key = testYou can now run commands in two ways:
Option A: Pass the profile flag
aws iam create-user --user-name DevUser --profile localstackOption B: Set an environment variable (Recommended)
Set your profile once in your session, and all subsequent aws commands will automatically target LocalStack:
export AWS_PROFILE=localstack
aws iam create-user --user-name DevUser- Precedence: The AWS CLI (v2) supports a global
endpoint_urlsetting within a profile. When this is set, the CLI automatically redirects all API calls for that profile to your local container instead of the real AWS cloud. - Convenience: This allows you to use the standard documentation commands exactly as written, which is helpful if you are copy-pasting examples from AWS labs or tutorials.