1
00:00:04,260 --> 00:00:04,980
Okay.

2
00:00:05,260 --> 00:00:06,660
Well, welcome everybody.

3
00:00:06,660 --> 00:00:07,460
My name is X-Ray.

4
00:00:07,460 --> 00:00:12,600
This is the DEF CON 30 Altspace VR Village for DEF CON groups.

5
00:00:12,720 --> 00:00:14,280
So, welcome.

6
00:00:14,280 --> 00:00:17,220
And our speaker is Jim Shaver.

7
00:00:17,580 --> 00:00:21,800
He's going to be talking about AWS Metadata Privilege Escalation.

8
00:00:21,800 --> 00:00:29,060
Jim is a Pentester, Offensive Cloud Security Researcher, and public speaker with 13 years of IT and security experience.

9
00:00:29,060 --> 00:00:31,080
So, Jim, go ahead and take it away.

10
00:00:31,860 --> 00:00:32,940
All right.

11
00:00:33,120 --> 00:00:35,340
I'm going to stand by the podium so I'm heard.

12
00:00:35,720 --> 00:00:40,480
Today we're going to be talking about AWS Privilege Escalation.

13
00:00:40,980 --> 00:00:50,300
And when I talk about Privilege Escalation, I'm mostly talking about the API and sort of the back end of AWS.

14
00:00:50,300 --> 00:00:59,800
I'm not specifically talking about, like, necessarily operating system Privilege Escalation, although operating systems will be involved.

15
00:00:59,800 --> 00:01:00,580
Okay.

16
00:01:00,700 --> 00:01:02,100
Next slide, please.

17
00:01:04,740 --> 00:01:05,080
All right.

18
00:01:05,080 --> 00:01:10,660
So, some of the things we're going to be talking about today are how authentication works within AWS.

19
00:01:10,660 --> 00:01:15,460
We're going to be talking about the Instant Metadata Service, IMDS.

20
00:01:15,600 --> 00:01:18,600
I will just call it the Metadata Service.

21
00:01:19,320 --> 00:01:31,540
I'm going to be talking about various modes of escalation, as well as several tools and resources that you can use, some of which I have written and some of which other people have written.

22
00:01:32,060 --> 00:01:33,500
Next slide, please.

23
00:01:34,840 --> 00:01:35,800
All right.

24
00:01:35,800 --> 00:01:38,640
So, this is what IMDS looks like.

25
00:01:38,700 --> 00:01:48,980
If you're on an EC2 virtual machine, you can just curl this IP address 169.254.169.254.

26
00:01:49,320 --> 00:01:52,220
You'll notice it's kind of an unusual IP address.

27
00:01:52,220 --> 00:01:59,740
If you've seen or been on a network that doesn't have DHCP working properly, you've probably gotten a 169 address.

28
00:02:00,020 --> 00:02:05,280
And you can think of that IP space as an IP space that is non-routable.

29
00:02:05,280 --> 00:02:08,240
And in order to avoid collisions with 10.

30
00:02:08,240 --> 00:02:20,280
and 172 and 192 addresses, Amazon chose a 169 address for this non-routable interaction with the IMDS service.

31
00:02:20,620 --> 00:02:25,400
Just a little bit of background on what the Metadata Service is.

32
00:02:25,400 --> 00:02:38,540
It's a little bit of semi-dynamic data that the operating system uses for its own purposes, for whatever it needs.

33
00:02:38,540 --> 00:02:51,680
So , things that are included are kind of benign things like the AMI ID and MAC addresses, network information, even the region that the virtual machine is running in.

34
00:02:51,680 --> 00:02:54,460
So, the US East 1, for example.

35
00:02:54,460 --> 00:03:12,200
But also other more interesting things for attackers in here, things like user data, which is like the machine startup script, or even the machine's own identity credentials and role-based credentials that the machine may have been granted.

36
00:03:13,660 --> 00:03:19,180
And so, these credentials you can think of as sort of the machine account, quote-unquote.

37
00:03:19,300 --> 00:03:21,020
Next slide, please.

38
00:03:22,100 --> 00:03:43,200
All right, so this is an example of a simple, I guess, SSRF where you have a proxy parameter that's injectable with this local IP, this 169 address, and it returns a role.

39
00:03:43,200 --> 00:03:56,280
So, latest metadata, this is actually returning a text response from the metadata service within the virtual machine that's running this web application, okay?

40
00:03:56,620 --> 00:04:11,000
And what makes this kind of like the machine account, you can think of like in the Windows world, you can give like an Active Directory machine, like domain admin, for example.

41
00:04:11,000 --> 00:04:14,040
Nobody does it, but it's something that's technically possible.

42
00:04:14,040 --> 00:04:26,560
It's much more common in AWS to give EC2 instances roles, which means they typically have permissions and policies either attached or assumable or whatever through those roles.

43
00:04:27,240 --> 00:04:33,900
So, if you go into latest metadata IAM security credentials, and then there's a whole bunch of stuff.

44
00:04:33,900 --> 00:04:38,680
In this case, this role name is called EC2 default SSM.

45
00:04:39,500 --> 00:04:59,120
If you then sort of browse to that role name, what will happen is it will show you a JSON response that is an access key ID, secret access key, and then a token that changes every once in a while.

46
00:04:59,120 --> 00:05:27,460
This is the authentication for this role for this machine, so that when the machine does certain administrative tasks, it can authenticate using these credentials, and they kind of work like long-lived API keys for AWS, but they're used via the short token service instead of long-lived API keys.

47
00:05:27,460 --> 00:05:36,740
So, the way that you can tell that that is happening is the first four letters of the key ID are ASIA, whereas long-lived keys are AKIA.

48
00:05:36,880 --> 00:05:41,760
Okay, so we'll see another example of that later as well.

49
00:05:41,760 --> 00:05:43,220
Next slide, please.

50
00:05:44,760 --> 00:05:46,540
Okay, ways to get at IMDS.

51
00:05:46,540 --> 00:05:55,020
So, obviously, you can imagine a bad guy wants to get at the IMDS service of an EC2 instance.

52
00:05:55,020 --> 00:05:57,480
A CC2 instance is in a VPC.

53
00:05:57,700 --> 00:06:06,380
Maybe it has a public interface where there's some sort of vulnerability, or the bad guy has somehow gotten into the virtual machine.

54
00:06:06,680 --> 00:06:11,140
Some of the ways that that can happen is you can be on the box.

55
00:06:11,140 --> 00:06:15,900
So, if you get a shell on the box, you can just use curl, like we did in some of the previous examples.

56
00:06:15,900 --> 00:06:21,360
So, in that case, you would just curl this web address, and then you would go from there.

57
00:06:21,960 --> 00:06:39,780
There's also examples of command injection and SSRF, where if you are able to, you know, render a web page or something like that, the results of a command, then you can also display the contents of the metadata service.

58
00:06:39,780 --> 00:07:09,860
There are also more novel examples that vendors and service providers haven't always thought about, in terms of some sort of SSH key for bastion access, or if they give you, you know, there's some sort of reverse tunnel they use for support or VPN keys that they use to connect to a box in EC2.

59
00:07:10,240 --> 00:07:32,020
Even if they disable, like, SSH access to the EC2 instance, you may disable the tunnel network traffic over SSH via SOCKS into the EC2 instance, and you can reach a local address, even though you're routing across the internet, you can still reach that local address over a SOCKS connection.

60
00:07:33,560 --> 00:07:52,060
So, in that case, you would just, you know, have a browser or whatever tool that supported SOCKS, and then you would tell it what SOCKS proxy to use, and you would just query the 169 address with curl or whatever tool you're using to access the metadata service.

61
00:07:52,420 --> 00:07:53,600
Next slide, please.

62
00:07:55,280 --> 00:07:56,580
All right, so using the creds.

63
00:07:56,580 --> 00:07:59,080
So, we've gotten this JSON response.

64
00:07:59,340 --> 00:08:07,020
Basically, what we do is, this is an example of long-lived credentials.

65
00:08:07,020 --> 00:08:10,360
So , you see, like, AKIA, these are obviously example credentials.

66
00:08:11,780 --> 00:08:19,960
So, that's what normal, like, API keys that you might find on, like, your average developer's machine look like.

67
00:08:19,960 --> 00:08:26,100
And this is an AWS credentials file that might exist on their laptop or on your laptop.

68
00:08:27,920 --> 00:08:37,440
You can also, so you can also just use the tools that are on the box to interact with the AWS CLI or pull your tools onto the box, if you can do that.

69
00:08:37,440 --> 00:08:51,160
But if you can get to this, you can just copy all of the data out of here, copy it to, you know, a box that you're using that has all your tools on it, and then put it in your AWS credentials file and use it as a profile for authenticating.

70
00:08:51,160 --> 00:09:00,140
So, then, when you're using tools like the AWS CLI, you just say, AWS profile, AWS session zero, which is what we have here.

71
00:09:00,140 --> 00:09:05,440
And then we run whatever commands using the CLI that we have.

72
00:09:05,440 --> 00:09:15,760
So, in this case, we're just doing a really basic STS get color identity, which is, if you're familiar with AWS, this is a thing that tells you, like, information about the account that you're running in.

73
00:09:15,760 --> 00:09:19,840
It's a good way to check to make sure that the credentials are valid.

74
00:09:19,840 --> 00:09:20,720
Okay.

75
00:09:21,660 --> 00:09:23,460
Next slide, please.

76
00:09:24,780 --> 00:09:30,120
Okay, so I'm not going to talk really about IAM policies because they are complicated.

77
00:09:30,120 --> 00:09:48,850
There's lots of ways that policies can be associated with a user directly, either through inline policies that are directly attached to the user, managed policies that are associated with the user, inline policies that are associated with a group, managed policies that are associated with a group,

78
00:09:48,850 --> 00:09:52,230
attached or past roles, etc.

79
00:09:52,230 --> 00:09:58,850
There's also service control policies and permission boundaries that are used in more advanced environments.

80
00:09:59,230 --> 00:10:09,430
And there are some limitations to privilege escalation that I'm not going to get super deep into today because it's really complicated.

81
00:10:09,430 --> 00:10:14,610
Even some of the tools don't even understand a lot of the nuance that's out there.

82
00:10:14,610 --> 00:10:16,730
Next slide, please.

83
00:10:17,890 --> 00:10:27,030
And that's because this is like the decision tree of how policies and that type of thing happen according to AWS.

84
00:10:27,030 --> 00:10:29,290
And even this doesn't include all of the nuance.

85
00:10:29,290 --> 00:10:41,330
So there's a very thorough decision tree around how AWS makes decisions around whether or not you or a resource in your environment has permissions to do something.

86
00:10:42,810 --> 00:10:44,110
Next slide, please.

87
00:10:45,850 --> 00:10:51,190
All right, so some ways that you can use the creds.

88
00:10:52,750 --> 00:10:57,810
Most of the examples we're going to be using today are with the AWS CLI.

89
00:10:59,210 --> 00:11:02,690
But there are also lots of other ways that you can do it.

90
00:11:02,690 --> 00:11:07,410
You can use Boto3, which is the Python SDK for AWS.

91
00:11:07,410 --> 00:11:21,830
It just sort of takes you the next step after the AWS CLI, allows you to chain multiple things together and write like a Python script that understands how to talk to the AWS API.

92
00:11:22,310 --> 00:11:25,510
There's other SDKs as well that you could also use.

93
00:11:26,730 --> 00:11:43,750
There's a pretty good tool written by Rhino Security Labs called AWS Escalate that can just sort of try to brute force and figure out whether or not you have an escalatable path to escalation within AWS.

94
00:11:44,310 --> 00:11:50,770
And we're going to talk through some of those paths manually here in a little bit using the AWS CLI instead.

95
00:11:50,770 --> 00:11:59,910
There's also a really good framework called Paku, also by Rhino Security Labs, that you can dockerize and all of that.

96
00:11:59,910 --> 00:12:15,630
And it's basically a Python application that gives you a menu and you can sort of step it through all of the ways it can escalate in another enumeration.

97
00:12:15,630 --> 00:12:18,330
It's like a Swiss Army knife, basically.

98
00:12:18,330 --> 00:12:22,770
There's a couple of tools that I have written that I've thrown in here as well.

99
00:12:22,770 --> 00:12:24,450
One is called RedBoto.

100
00:12:25,110 --> 00:12:45,350
And basically it is a set of tools that either do enumeration or do interesting things with operating systems within AWS or connect to SSM, which is basically like SCCM for AWS and other interesting things.

101
00:12:45,350 --> 00:13:07,610
There's also a tool called FederateMe, which is... I'm not sure if AWS has actually fixed this as a thing, but basically it uses federation to go from credentials to an AWS console, which is the web user interface of AWS.

102
00:13:07,610 --> 00:13:16,910
And sometimes it's just easier to work in the web interface than it is to work via CLI or API or with various tools.

103
00:13:16,910 --> 00:13:20,050
So that is just easier to just pop open a browser.

104
00:13:20,050 --> 00:13:35,450
So what FederateMe does is basically you give it your credentials and it creates a signed login federation link that will pop you into the console, even as an EC2 instance or whatever.

105
00:13:35,450 --> 00:13:41,050
And you have the ability to do whatever it is that that machine would be able to do if it could log into the console.

106
00:13:43,190 --> 00:13:53,270
There's also another tool called EnumerateIAM, which is a good enumeration tool of different IAM permissions.

107
00:13:53,270 --> 00:13:59,490
IAM is the system in which you do all of your identity and access management within AWS.

108
00:13:59,490 --> 00:14:02,650
A lot of tools obviously revolve around that.

109
00:14:02,950 --> 00:14:13,690
Also, the best resource out there on the internet with offensive security, Red Team, AWS, and other cloud information is Hacking the Cloud.

110
00:14:13,830 --> 00:14:22,950
It's maintained by Nick Frechette and it's very high quality and the best resource out there for this type of information.

111
00:14:22,950 --> 00:14:30,770
I have references throughout the rest of the presentation to some articles on that.

112
00:14:31,670 --> 00:14:32,790
Next slide.

113
00:14:35,170 --> 00:14:45,010
All right, so a couple of more easy ways to escalate that I'm not going to demonstrate because I think you can kind of imagine what they might look like.

114
00:14:45,010 --> 00:14:54,830
One of the ways that you can escalate is you can pillage S3 buckets for other creds.

115
00:14:54,830 --> 00:15:03,010
You might get onto a virtual machine that has some role credentials that may have access to some S3 buckets.

116
00:15:03,010 --> 00:15:27,810
If you are doing sort of a gray box assessment on the environment and you have like a scout report or something like that, you can know what the role credentials have as permissions and what S3 buckets they may have access to with that report.

117
00:15:27,810 --> 00:15:38,910
It may not be actually obvious to you or even possible for you to know without brute forcing what permissions that role that you have access to, what it can do.

118
00:15:38,910 --> 00:16:03,730
So if it's more of a gray box assessment and you've got the capability to do a scout report with ScoutSweeter, whatever they're calling it this week, then this can be a good way to find other credentials that developers or other people have left laying around or that might have higher privilege than what you have.

119
00:16:03,730 --> 00:16:16,870
It's very common for EC2 instances to be granted roles that have access to S3 buckets and nothing else because that's one of the ways that they get data in and out of the EC2 instance.

120
00:16:16,870 --> 00:16:19,670
And so it's very common for them to have that access.

121
00:16:19,670 --> 00:16:32,870
And then it's common for, you know, them not to lock down to specific S3 buckets and they may have access to like, you know, the Terraform S3 bucket or, you know, what have you.

122
00:16:32,870 --> 00:16:38,290
There's lots of ways that they can get permissive access to the environment's S3 buckets.

123
00:16:39,150 --> 00:16:41,610
Another area is user data.

124
00:16:41,610 --> 00:16:50,610
I talked about that a little bit earlier, and it's basically a Base64 encoded script that the machine runs at startup.

125
00:16:50,610 --> 00:17:11,050
And those role credentials that we've been talking about may have the ability to read the user data of other EC2 instances and other virtual machines in the environment.

126
00:17:11,050 --> 00:17:21,570
And so sometimes people put things in the startup script, assuming that they as the administrators are the only people that read that stuff.

127
00:17:21,570 --> 00:17:27,310
And it actually doesn't take a lot of permission to be able to read an EC2 instances startup script.

128
00:17:27,310 --> 00:17:37,350
So you should really treat that stuff as, you know, a sensitive thing and use other means to get secrets and that type of thing onto the box.

129
00:17:38,030 --> 00:17:39,410
Next slide, please.

130
00:17:41,050 --> 00:17:51,750
All right, so we're going to talk about our first IAM policy or permission that allows you to escalate.

131
00:17:51,750 --> 00:17:58,230
So if you have IAM add user to group, this one's like a really basic privilege escalation.

132
00:17:58,230 --> 00:18:00,710
So obviously you're not administrator.

133
00:18:00,750 --> 00:18:15,670
If you have the ability to add any user to any group, then, you know, you could just run the AWS CLI command, you know, IAM add user to group, user name Alice, group name administrators.

134
00:18:15,670 --> 00:18:23,930
And if you're able to run that command, you've just privilege escalated the user Alice to administrator in the AWS count.

135
00:18:23,930 --> 00:18:35,130
Okay, so might seem like a super obvious way to privilege escalate, but it's an example of the type of thing that I'm talking about.

136
00:18:35,790 --> 00:18:37,670
Next slide, please.

137
00:18:38,870 --> 00:18:47,110
One that's pretty straightforward, but also a little bit more nuanced is IAM create access key.

138
00:18:47,110 --> 00:18:59,190
So in this case, you are running, you know, IAM create access key for the user name admin Bob.

139
00:18:59,190 --> 00:19:08,650
So basically you're saying, I want to create an access key for this very privileged user that I know is privileged, and I want to have their access key, basically.

140
00:19:08,690 --> 00:19:09,410
Okay.

141
00:19:13,530 --> 00:19:15,290
Okay, next slide, please.

142
00:19:18,720 --> 00:19:20,620
All right.

143
00:19:21,540 --> 00:19:24,060
Pass rule and run instances.

144
00:19:24,060 --> 00:19:27,220
Okay, pass rule is more complicated.

145
00:19:29,020 --> 00:19:36,940
Because basically, this gets into resource based privilege escalation.

146
00:19:36,940 --> 00:19:40,920
So in this case, you are not doing the privilege escalation.

147
00:19:40,920 --> 00:19:47,920
In fact, you are spinning up a virtual machine that is doing the actual escalation.

148
00:19:47,920 --> 00:19:58,920
Okay, so the way that pass rule works is you are given the ability to pass a role to a resource that being the virtual machine.

149
00:19:59,000 --> 00:20:05,120
And then you run that instance with a role that is very permissioned, very well permissioned.

150
00:20:05,120 --> 00:20:20,600
And then you have that resource, the virtual machine, run a user data script that executes some AWS commands that create an administrator user for you, for example.

151
00:20:20,600 --> 00:20:21,200
Okay.

152
00:20:21,760 --> 00:20:29,200
A lot of people get tripped up on this one, they think that they need to have SSH access to the EC2 instance once they spin it up.

153
00:20:29,200 --> 00:20:37,620
In fact, if you specify user data, the code executes and you don't need to be on the box for it to happen.

154
00:20:37,660 --> 00:20:44,600
You don't need to have a VPC that you can SSH into, as an example.

155
00:20:44,600 --> 00:20:48,480
There's lots of things that make this a lot easier.

156
00:20:49,800 --> 00:20:53,900
And so there are some limitations on this one.

157
00:20:53,900 --> 00:20:59,440
Obviously, you need to be able to pass a role that matters and exists.

158
00:20:59,440 --> 00:21:03,200
You need to be able to run arbitrary instances.

159
00:21:03,660 --> 00:21:11,980
And there also needs to be an instance profile that is privileged enough that can do the thing that you want it to do for you to do.

160
00:21:12,060 --> 00:21:15,740
So there's a lot of moving parts that are involved with this one.

161
00:21:15,740 --> 00:21:20,780
But that is how you do that one.

162
00:21:21,640 --> 00:21:23,010
Next slide, please.

163
00:21:25,600 --> 00:21:29,010
There are also many other types of privilege escalation.

164
00:21:29,010 --> 00:21:46,370
So there are other services within AWS that are not even commonly used by the majority of AWS customers.

165
00:21:46,370 --> 00:21:58,430
So like Glue and Data Pipelines and CodeStar are all DevOps-y type things that are used by some very advanced environments.

166
00:21:58,430 --> 00:22:07,250
They absolutely have methods, if configured incorrectly, that allow you to privilege escalate.

167
00:22:07,250 --> 00:22:17,670
Another one that I didn't include in the slides because it worked very similarly to the EC2 instance, one that we just talked about, is Lambda.

168
00:22:17,670 --> 00:22:21,890
Lambda is like the serverless functionality within AWS.

169
00:22:21,890 --> 00:22:51,610
And essentially, if you have pass, roll, and create function, invoke function, maybe a couple of other things, you can do the same thing with Lambda that we did with that EC2 instance where you can have the serverless Lambda function do all of the IAM functions that create a user or make you an administrator or whatever it is that you use to privilege escalate.

170
00:22:53,970 --> 00:22:55,290
Next slide, please.

171
00:22:56,890 --> 00:23:05,810
All right, so another tool that I have not really talked about publicly, but I released about a month ago, is this thing called Red AEMM.

172
00:23:05,810 --> 00:23:21,190
And basically what it is, is I wanted to solve the problem of how do you have a cloud section to a CTF, okay?

173
00:23:21,190 --> 00:23:29,830
And there are cloud CTFs out there that are like flaws.cloud, and they're just sort of publicly on the internet.

174
00:23:29,830 --> 00:23:36,650
And what happens with those CTFs is that you're very limited in scope in terms of what you can do.

175
00:23:36,650 --> 00:23:46,510
And there's a lot of risk in setting them up because you're hooking somebody up to a real AWS account that could not only get hacked, but also cost you a lot of money if it gets hacked.

176
00:23:46,670 --> 00:23:54,390
And so this incentivizes people from having cloud CTF type things.

177
00:23:54,390 --> 00:24:06,650
And so one of the things that I wanted to solve the problem was how do we teach people about the metadata service, but don't hook them up to a real metadata service in ED2.

178
00:24:07,090 --> 00:24:18,130
And so what I came up with was AWS actually has a project called the Amazon EC2 Mock Metadata Service.

179
00:24:18,130 --> 00:24:29,590
It's a fake metadata service that is a Go application and a Docker container that emulates a real metadata service.

180
00:24:29,590 --> 00:24:51,350
And it's used for evops type testing, where you need to test something that needs to interact with the metadata service, but isn't, for whatever reason, you want it to talk to a fake metadata service just because it's easier for you or it doesn't need to be in AWS or whatever the reason is.

181
00:24:51,350 --> 00:25:11,370
And so I forked that and basically developed a front end that is very basic SSRF and this is an example challenge of like, hey, if you put proxy and then the domain name, this is how this proxy works.

182
00:25:11,370 --> 00:25:16,690
And it's not really a proxy, it's just a thing that gets you to the metadata service as part of the challenge.

183
00:25:16,690 --> 00:25:29,670
So the idea here is that this tool can be used in capture the flag exercises so that people can understand a little bit more and interact with something that acts just like a metadata service.

184
00:25:30,270 --> 00:25:37,330
It doesn't expose your AWS account, so if somebody gets access to a role within here, it doesn't actually do anything.

185
00:25:37,930 --> 00:25:39,370
Next slide, please.

186
00:25:40,450 --> 00:25:46,910
So this is what it looks like when you exploit the SSRF that I've built in here.

187
00:25:46,910 --> 00:25:56,350
So just like what we've been seeing all along, you know, you hit this address, this is not really a fake address, this is just part of the application.

188
00:25:56,390 --> 00:26:03,110
So it just looks like we're exploiting an SSRF in AWS, but this is just a Docker container.

189
00:26:03,950 --> 00:26:13,370
And it returns a text response just like a real metadata service, but all of this information is totally bogus.

190
00:26:13,370 --> 00:26:19,330
If you pull up this AMI ID, it's an AMI ID that doesn't exist within AWS.

191
00:26:19,870 --> 00:26:24,530
These are not the MAC addresses of the machine that this is running on.

192
00:26:24,530 --> 00:26:26,510
All of this information is bogus.

193
00:26:26,510 --> 00:26:36,950
And you can control these through a JSON configuration file, and you can also control through environment variables as well.

194
00:26:36,950 --> 00:26:48,570
So you can imagine hiding a flag in the user data of this MAC metadata service, essentially, on a CTF.

195
00:26:49,950 --> 00:26:52,430
And so that can be found on my GitHub.

196
00:26:52,430 --> 00:26:54,110
It's called redamn.

197
00:26:55,830 --> 00:27:02,430
And if you have any questions about it, feel free to hit me up on LinkedIn or wherever on the internet.

198
00:27:04,030 --> 00:27:05,850
And next slide.

199
00:27:07,030 --> 00:27:08,350
I think that's it for me.

200
00:27:08,350 --> 00:27:08,990
I'm Jim Shaver.

201
00:27:08,990 --> 00:27:10,250
You can hit me up on LinkedIn.

202
00:27:10,250 --> 00:27:13,430
I'm also iHamburglar on GitHub.

203
00:27:13,830 --> 00:27:17,830
I really want to thank the volunteers for their awesome work on this conference.

204
00:27:18,510 --> 00:27:25,030
The setup is amazing, and it's one of the best speaker setups that I've had as a speaker.

205
00:27:25,390 --> 00:27:31,370
So it's nice to just be able to come in here and talk from my house.

206
00:27:31,410 --> 00:27:39,790
So thanks, everybody, and I'm happy to take any of your questions, if any.

207
00:27:41,850 --> 00:28:03,410
So I've worked a fair bit in AWS, and what I've noticed is that routinely organizations will have people who are new to AWS, or they've just graduated and they're getting out into their first Java position, and they'll just jump straight into building things.

208
00:28:03,410 --> 00:28:20,110
And IAM is sort of this thing that they get as kind of an afterthought, and they don't truly master the service until years into their effort.

209
00:28:20,110 --> 00:28:31,710
Have you seen any successful attempts at getting people to train in IAM first, rather than jump straight into building things?

210
00:28:32,950 --> 00:28:44,630
So I think, if I could distill down the question for those people that are not in the room, essentially, do you get people to understand IAM and do it securely?

211
00:28:44,630 --> 00:28:49,290
Is that a fair representation of the question?

212
00:28:49,450 --> 00:28:53,350
Yeah, try to get it right the first time, rather than a retrospective look on it.

213
00:28:53,830 --> 00:28:58,250
Yeah, I think, you know, I absolutely agree with what you're saying.

214
00:28:58,250 --> 00:29:00,090
I think it's really complicated.

215
00:29:00,090 --> 00:29:04,750
And I showed you a slide that demonstrated how stupid it is.

216
00:29:04,750 --> 00:29:10,590
And I think it's very difficult to find people who really understand how it is.

217
00:29:10,590 --> 00:29:18,730
I think it's the number one problem that's AWS organizations.

218
00:29:18,730 --> 00:29:25,330
And I think, you know, it's a, are you training people and investing in them?

219
00:29:25,330 --> 00:29:28,290
And are you hiring people that know what they're doing?

220
00:29:28,290 --> 00:29:37,270
I think there's probably a lot of opportunity there for Amazon to make it easier.

221
00:29:38,590 --> 00:29:44,390
Absolutely, it's one of the number one issues with an AWS account is how complicated IAM is.

222
00:29:44,390 --> 00:29:45,410
And it changes.

223
00:29:46,430 --> 00:29:50,510
Sorry, I can't really answer that question better.

224
00:29:51,150 --> 00:29:53,830
No, no, if you did, that'd be amazing.

225
00:29:53,830 --> 00:29:54,050
Right?

226
00:29:54,050 --> 00:29:55,650
I'd take that back immediately.

227
00:29:55,850 --> 00:30:01,790
Yeah, I would be in a venture capitalist office right now if I had that answer to that.

228
00:30:03,330 --> 00:30:05,110
Thank you for the question.

229
00:30:07,470 --> 00:30:08,730
Anyone else?

230
00:30:12,580 --> 00:30:17,340
All right, well, I'll be hanging out for another 10 or so minutes if people have questions.

231
00:30:17,340 --> 00:30:18,100
Fair.

232
00:30:18,100 --> 00:30:20,360
I really appreciate the opportunity to talk today.