Shadow IT
Sometimes business units go around corporate IT, procurement, legal, and security when they need to get the job done quickly. This leads to security teams not knowing what they need to protect and systems not built to IT or Security standards.
Amazon S3
Amazon S3 (Simple Storage Service) is the hosted object storage service. Objects are stored in Buckets. To highly simplify the concept of object storage, Buckets are key-value stores, with the Object Key being a full pathname for a file and the value being the contents of the file. S3 is a publicly hosted service – it doesn’t exist behind a corporate firewall, making it convenient for hosting public content. AWS has an entire feature set around hosting a public website in S3.
AWS IAM
Excluding a few older services like Amazon S3, all requests to AWS services must be signed. This is typically done behind the scenes by the AWS CLI or the various Software development Kits that AWS provides. The signing process leverages IAM Access Keys. These access keys are one of the primary ways an AWS account is compromised.
IAM Access Keys
IAM Access Keys consist of an Access Key ID and the Secret Access Key.
Access Key IDs always begin with the letters AKIA and are 20 characters long. These act as a user name for the AWS API. The Secret Access Key is 40 characters long. AWS generates both strings; however, AWS doesn’t make the Secret Access Key available to download after the initial generation.
There is another type of credentials, short-term credentials, where the Access Key ID begins with the letters ASIA and includes an additional string called the Session Token.
AWS ARNs
An Amazon ARN is their way of generating a unique identifier for all resources in the AWS Cloud. It consists of multiple strings separated by colons.
The format is:
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
This was one of the harder labs and I referenced this video to solve the challenges. Good learning on AWS public S3 buckets and IAM.