AWS Accounts as Security Boundaries — 97+Ways Data Can be Shared Across Accounts

See the full list here.

TL;DR

Background

Poor Isolation Practices

Single Points of Failure

Lack of Scoped User Permissions

Mixing Environments

The “Underpants Problem”

Exploiting Misconfigurations

Public AMIs

S3 ACLs

The implication of choosing “AuthenticatedUsers” is much clearer now.

Route53 Dangling Records

Other Resources

Cross-Account Resource Sharing

How Resources Are Shared

Getting (Almost Too) Technical

ELBs run in AWS-owned accounts and data crosses into customer accounts

Caveats

IAM Cross-Account Assume Role

AWS Organizations

AWS Resource Access Manager (RAM)

Risk Level Reasoning

Access Analyzer

ACM Private Certificate Authority

API Gateway

AppFlow

App Mesh

AppSync

Artifact

Athena*

Audit Manager

Backup

Batch*

Budgets

CloudFormation

CloudFront*

CloudHSM

CloudSearch

CloudTrail

CloudWatch

CodeArtifact

CodeBuild

CodePipeline*

Cognito

Compute Optimizer

Config

Detective

Direct Connect

Directory Service

Data Lifecycle Manager (DLM)*

Database Migration Service (DMS)*

DocumentDB

DynamoDB*

Elastic Block Store (EBS)

Elastic Compute Cloud (EC2)

Elastic Container Registry (ECR)

Elastic File System (EFS)

Elastic Load Balancing (ELB)

Elastic Map Reduce (EMR)

EventBridge

Firehose

Firewall Manager

Glacier

Glue

GuardDuty

Health

Identity Access Management (IAM)

Image Builder

Key Management Service (KMS)

Lake Formation

Lambda

License Manager

Macie

Marketplace

Network Firewall

Organizations*

Outposts

QuickSight

Resource Access Manager (RAM)*

RDS

Redshift

Route53

Simple Storage Service (S3)

Secrets Manager

Security Hub

Service Catalog

Service Quotas

Simple Email Service (SES)

Shield*

Single Sign On (SSO)

Simple Notification Service (SNS)

Simple Queue Service (SQS)

Systems Manager

Trusted Advisor

VPC

Managing Shared Access

Founder of @CloudSploit , acquired by @AquaSecTeam . Former Infra / Security / Manager @Adobe , @Aviary & @Mozilla intern, @RITtigers grad, @NYC resident

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store