This project demonstrates foundational IAM hardening tasks in AWS as part of a hands-on cloud security portfolio. It includes a 5-part exercise focused on creating IAM users, applying least-privileged permissions, enabling MFA, role-based access control, and running compliance scans using Prowler.
- Understand IAM user creation and privilege assignment
- Practice writing and attaching least-privilege IAM policies
- Test secure role assumption with trust policies
- Enable and validate MFA for IAM users
- Run Prowler scans to identify compliance gaps
iam-hardening-project/
│
├── demo-policies/ # Sample JSON IAM policies
│ ├── allowassumerole.json
│ ├── S3BucketReadOnly-demo.json
│ └── trust-policy-demo.json
│
├── evidence/ # Evidence of test and audit completion
│ └── prowler_sucess.png
│
├── scripts/ # Command-based helpers (not used for MFA)
│ └── enable-mfa-iamuser.sh (optional placeholder)
│
└── README.md
- Over-privileged user: Attached
AdministratorAccessAWS managed policy - Least-privileged user: No policies attached initially
- Users created using the AWS CLI and Console
Example (CLI):
aws iam create-user --user-name stan_overpriv
aws iam create-user --user-name chris_leastpriv- Created S3 bucket (name redacted)
- Wrote and attached a custom JSON policy allowing only
s3:ListBucketands3:GetObjecton one bucket
Sample Policy: demo-policies/S3BucketReadOnly-demo.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketList",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": "arn:aws:s3:::example-bucket"
},
{
"Sid": "ObjectRead",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
}Attach Policy:
aws iam create-policy \
--policy-name S3BucketReadOnly \
--policy-document file://demo-policies/S3BucketReadOnly-demo.json
aws iam attach-user-policy \
--user-name chris_leastpriv \
--policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/S3BucketReadOnly- MFA was enabled manually using the AWS CLI inside VS Code
- Virtual MFA device scanned via Authenticator App
Command to check if MFA is enabled:
aws iam list-mfa-devices --user-name chris_leastpriv✅ Successful scan will show user enabled with MFA for user in terminal or AWS dashboard
- Created a new IAM role with limited access to the S3 bucket
- Allowed only
chris_leastprivuser to assume the role
Permissions Policy: demo-policies/allowassumerole.json
Trust Policy: demo-policies/trust-policy-demo.json
aws iam create-role \
--role-name S3ReadOnlyRole \
--assume-role-policy-document file://demo-policies/trust-policy-demo.json
aws iam put-role-policy \
--role-name S3ReadOnlyRole \
--policy-name S3BucketReadOnlyInline \
--policy-document file://demo-policies/allowassumerole.json- Used WSL (Ubuntu) to run Prowler successfully after dependency issues
- Output was saved to
evidence/prowler_sucess.png - Scan completed with 572 checks and was used to verify MFA enablement
Scan Command:
python3 prowler-cli.py aws -M html,json,csv -o output/ --output-filename prowler_reportThis lab focused on simulating a basic cloud security audit and remediation workflow. It included:
- IAM hardening through custom policies
- Role-based access control
- Multi-factor authentication
- Compliance audit via Prowler
Kent Ward GRC Analyst → GRC Engineer (in progress) Cloud Security | IAM | Audit | Compliance
All policies and identifiers have been anonymized for public GitHub sharing.
Use your own bucket names, account IDs, and user names when replicating.
If you’re using PowerShell, ensure backticks (`) are used for line continuation,
or copy the command as a one-liner.