Hands-On Lab: Implementing and Troubleshooting AWS Authorization Strategies
Design, implement, and troubleshoot authorization strategies
Hands-On Lab: Implementing and Troubleshooting AWS Authorization Strategies
\nIn this lab, you will design and implement a multi-layered authorization strategy on AWS. You will combine Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Permission Boundaries to enforce the principle of least privilege. Finally, you will troubleshoot common authorization failures using IAM tools.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges for S3 buckets or IAM resources.
Prerequisites
- An active AWS Account.
- AWS CLI installed and configured with Administrator credentials.
- Basic knowledge of IAM JSON policy syntax.
- A terminal environment (bash/zsh preferred).
Learning Objectives
- Implement RBAC using IAM Roles and Managed Policies.
- Implement ABAC using resource and principal tags for dynamic scaling.
- Enforce Guardrails using IAM Permission Boundaries to prevent privilege escalation.
- Troubleshoot Failures by analyzing IAM Policy logic and simulated Access Analyzer findings.
Architecture Overview
\nThis lab uses a layered security model. The user assumes a role that has both an Identity-based policy (ABAC) and a Permission Boundary (RBAC Guardrail).
Effective Permissions Visualization
\begin{tikzpicture}[thick, fill opacity=0.5] \draw[fill=blue!20] (0,0) circle (1.5cm) node[below=1.6cm] {\Identity Policy}; \draw[fill=red!20] (2,0) circle (1.5cm) node[below=1.6cm] {\Permission Boundary}; \begin{scope} \clip (0,0) circle (1.5cm); \fill[purple!40] (2,0) circle (1.5cm); \end{scope} \node at (1,0) [black, opacity=1] {\small \Allowed Access}; \node at (1,-2.5) [black, opacity=1] {\textbf{Intersection of Policies}}; \end{tikzpicture}
Step-by-Step Instructions
Step 1: Create Tagged S3 Buckets
\nWe will create two buckets. One is for the "Dev" project, and one is for the "Prod" project. Our ABAC strategy will focus on these tags.
# Create Dev Bucket\naws s3api create-bucket --bucket brainybee-lab-dev-<YOUR_ACCOUNT_ID> --region us-east-1
# Create Prod Bucket\naws s3api create-bucket --bucket brainybee-lab-prod-<YOUR_ACCOUNT_ID> --region us-east-1
# Tag the buckets\naws s3api put-bucket-tagging --bucket brainybee-lab-dev-<YOUR_ACCOUNT_ID> --tagging 'TagSet=[{Key=Project,Value=Dev}]'\naws s3api put-bucket-tagging --bucket brainybee-lab-prod-<YOUR_ACCOUNT_ID> --tagging 'TagSet=[{Key=Project,Value=Prod}]'▶Console Alternative
- Navigate to S3 > Create bucket.
- Name it `brainybee-lab-dev-
. 3. After creation, select the bucket > **Properties** > **Tags** > **Edit**. 4. Add Key: Project, Value: Dev. 5. Repeat for the prod` bucket.
Step 2: Create a Permission Boundary
\nThe boundary will allow S3 and IAM actions but explicitly deny everything else. Even if a user's role has AdministratorAccess, this boundary will restrict them.
# Save the policy to a file\ncat <<EOF > boundary-policy.json
{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Sid\": \"AllowS3AndIAM\",
\"Effect\": \"Allow\",
\"Action\": [\"s3:*\", \"iam:Get*\", \"iam:List*\"],
\"Resource\": \"*\"
}
]
}\nEOF
# Create the policy\naws iam create-policy --policy-name ProjectBoundary --policy-document file://boundary-policy.jsonStep 3: Create the ABAC Role with Session Tags
\nThis role uses a condition that compares the user's tag with the resource's tag.
# Create Trust Policy\ncat <<EOF > trust-policy.json
{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Principal\": { \"AWS\": \"arn:aws:iam::<YOUR_ACCOUNT_ID>:root\" },
\"Action\": \"sts:AssumeRole\"
}
]
}\nEOF
# Create Role with the Boundary attached\naws iam create-role --role-name ABAC-Lab-Role \\
--assume-role-policy-document file://trust-policy.json \\
--permissions-boundary arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/ProjectBoundary
# Add Tags to the Role\naws iam tag-role --role-name ABAC-Lab-Role --tags 'Key=Project,Value=Dev'Step 4: Attach the ABAC Identity Policy
{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Action\": [\"s3:ListBucket\", \"s3:GetObject\"],
\"Resource\": \"*\",
\"Condition\": {
\"StringEquals\": {
\"aws:ResourceTag/Project\": \"\${aws:PrincipalTag/Project}\"
}
}
}
]
}\nEOF
\naws iam put-role-policy --role-name ABAC-Lab-Role --policy-name ABACCondition --policy-document file://abac-identity-policy.jsonCheckpoints
| Action | Expected Result | Why? |
|---|---|---|
aws s3 ls s3://brainybee-lab-dev-<ID> | Success | Principal Project (Dev) matches Resource Project (Dev). |
aws s3 ls s3://brainybee-lab-prod-<ID> | Access Denied | Principal Project (Dev) DOES NOT match Resource Project (Prod). |
aws ec2 describe-instances | Access Denied | Even if role had EC2 permissions, the Boundary only allows S3/IAM. |
Troubleshooting
Common Authorization Failure Scenarios
| Error Message | Likely Cause | Solution |
|---|---|---|
AccessDenied on Dev Bucket | Tag Key Mismatch | Ensure the tag key is exactly Project (case-sensitive) on both role and bucket. |
Implicit Deny for EC2 | Permission Boundary | Check if the action is included in the Permission Boundary. |
AccessDenied during AssumeRole | Trust Policy | Ensure the trust policy allows your IAM User/Root account to perform sts:AssumeRole. |
[!TIP] Use the IAM Policy Simulator in the console to test specific actions against your role. It will highlight whether the deny comes from the Identity policy, the Boundary, or an SCP.
Clean-Up / Teardown
\nTo avoid charges, delete the resources created in this lab:
# Delete Role Policies\naws iam delete-role-policy --role-name ABAC-Lab-Role --policy-name ABACCondition
# Delete Role\naws iam delete-role --role-name ABAC-Lab-Role
# Delete Boundary Policy\naws iam delete-policy --policy-name ProjectBoundary --policy-arn arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/ProjectBoundary
# Empty and Delete Buckets (Warning: This deletes all data in the buckets)\naws s3 rb s3://brainybee-lab-dev-<YOUR_ACCOUNT_ID> --force\naws s3 rb s3://brainybee-lab-prod-<YOUR_ACCOUNT_ID> --forceConcept Review
| Feature | Mechanism | Best Use Case |
|---|---|---|
| RBAC | Groups/Roles + Static Policies | Access based on job function (e.g., 'Auditor', 'Admin'). |
| ABAC | Policy Conditions + Tags | Dynamic access for massive numbers of resources/users. |
| Boundary | Max allowable permissions | Delegating IAM creation to users without allowing them to escalate. |
| Session Policy | Passed during AssumeRole | Further narrowing access during a specific temporary session. |