Critical #protip: you can compare the principal tag value to the resource tag value, to say things like “only allow access if the role’s project tag matches the resource’s project tag”, without having to manually specify the project name (which is sometimes “pickles”) #reInforce

Ooh, a not-hosted-by-AWS conference option is in the works! This sounds like it could be fun.

Awesome demo on AWS permissions boundaries, but don't be surprised if I don't share this out with all our dev teams. Some of them may get the idea that this makes it OK to just put the AdministratorAccess policy on everything. 😱

I haven't heard much talk about stable team rosters, but the last time I switched teams it was to find one with more stability... And I've gotta say, it's awesome! There's a sense of history, of evolution, and more personal investment in building great things.

"EventBridge Rules" is way too descriptive and makes me visualize it. I'm seeing a big party taking place at a bridge and folks yelling "Eventbridge rules!". But the dawn reveals that someone has spraypainted on the bridge "Eventbridge sucks!"

I’ve seen a few people ask about the process of building an integration with Amazon EventBridge as a SaaS provider. We’re working on getting some additional, more official materials published, but in the meantime here’s a thread on the technical bits of the process. 1/12

DX is one of the few services for which I don't have a use case for this granularity, but I like the increased consistency. What's even better is that the IAM docs are already updated. Thank you, #AWS! 🙏 docs.aws.amazon.com/IAM/latest/Use…

In part 2 of our AWS privilege escalation series, we discuss 3 new IAM privilege escalation methods abusing Lambda Layers and SageMaker Jupyter Notebooks. bit.ly/2McZaj0

Hi #awswishlist - Please bring out tag-based access controls for KMS soon. The only supported access control on the IAM side requires the generated identifier for the KMS key, which I don't know in advance.

For service roles, remove s3:ListAllMyBuckets and similar List/Describe privs. Code normally knows what buckets it needs to work with, and does not need to list them.

I know AWS IAM much more deeply than most people who work with AWS can be expected to know it, but wow it gets complicated. Anything AWS can provide to make this easier would be greatly appreciated. Love these ideas!

How'd I miss this? The #AWS #SystemsManager docs were updated earlier this month to recommend policies which do *not* include R/W access to all S3 buckets in the account. Thank you! docs.aws.amazon.com/systems-manage…

You heard right! More to come today on this!!! S3 now has strong read-after-write consistency.

🍪IAM Access Analyzer has a new treat for all you permission setters out there in #AWS land.🍪Now, Access Analyzer generates policies based on your CloudTrail activity. (1/11) amzn.to/3wzIJlR

A bit later than expected, but AWS is finally competing with Google Maps! aws.amazon.com/blogs/aws/amaz…

Just watched Jared Naude's talk at fwd:cloudsec . Glad to see he's had some success expanding the shared responsibility model to separate app and infrastructure/platform teams in his work. May be the inspiration I need to help drive this ahead at my company.

Over half of AWS IAM permissions are Write permissions? No wonder it's so hard to get least privilege right. 😂 #fwdcloudsec

Videos from fwd:cloudsec are up! youtube.com/playlist?list=…