AWS IAM, demystified
Short, opinionated guides to the IAM patterns that actually matter in production.
Reading CloudTrail to debug AccessDenied
AWS error messages don't tell you why a request was denied. CloudTrail does — if you know which fields to read.
cloudtraildebuggingaudit
Auditing IAM with AWS IAM Access Analyzer
Access Analyzer is the free AWS service that finds resources shared outside your account or org. It's the first thing to enable on a new account and the last thing most teams remember to check.
auditaccess-analyzertooling
Cross-account access: four patterns and when to use each
Cross-account in AWS can mean four different things. Picking the wrong pattern leads to either a security gap or weeks of debugging trust policies.
cross-accountpatternstrust-policy
10 IAM privilege escalation paths to know
Most privilege escalation in AWS doesn't require iam:* — it requires one specific action plus a service that consumes roles. Here are the patterns to grep your policies for.
privilege-escalationsecurityaudit
MFA enforcement patterns that actually work
There are three ways to require MFA in AWS IAM. Two of them are commonly recommended and only one of them works the way most people expect.
mfasecuritypatterns
Trust policies vs. identity policies
AWS uses the same JSON syntax for two completely different documents. Confusing them is how engineers accidentally make roles assumable by the wrong principals.
trust-policyfundamentalsroles
Resource policies vs identity policies
Same JSON syntax, different semantics, attached in different places. Knowing which kind you're writing changes how you should think about Principal and Resource.
fundamentalsresource-policy
Permission boundaries: the IAM ceiling
Permission boundaries cap what an identity can do, regardless of which policies are attached. They're how you safely delegate IAM creation to other engineers.
permission-boundariesdelegationadvanced
iam:PassRole, explained
PassRole is the most-misunderstood IAM action. It looks innocuous, it's required for almost every serverless workflow, and it's the entry point to a whole class of privilege-escalation attacks.
passroleprivilege-escalationfundamentals
Service Control Policies (SCPs), demystified
SCPs are guardrails for an entire AWS organization. They don't grant permissions — they cap what's possible, even for root.
scporganizationsguardrails
Why IAM wildcards are dangerous
The * character in an IAM policy is a productivity tool that quietly grants more access than most engineers realize. Here's how to spot it and what to do instead.
wildcardsleast-privilegefundamentals
IAM Conditions: the field that does the heavy lifting
Most over-permissioned roles became dangerous the moment someone removed a Condition block. Here are the conditions that actually matter and how to use them.
conditionsfundamentalsleast-privilege
Allow vs Deny: how IAM evaluation actually works
Deny always wins — but the order in which AWS checks SCPs, permission boundaries, identity policies, and resource policies determines whether a request gets there at all.
fundamentalsevaluationdeny
How to read an IAM policy
A field guide to the JSON. Five fields do almost all the work — once you know what each one means and how they interact, the rest is mostly memorization.
fundamentalssyntax