← Back to Labs L2 Intermediate

AWS · Identity · Intermediate Security Engineering

AWS Intermediate Identity Track

A practical L2 learning path for AWS identity engineers: effective permissions, explicit deny, permission boundaries, SCP guardrails, resource policies, and public access risk reasoning.

Track Status Active
Current LABs 9
Level L2
Bridge L1 → L3

Overview

This track gives learners the intermediate reasoning layer between AWS IAM basics and Principal-level identity attack-path modeling.

L2 Intermediate Policy reasoning Effective permissions Read-only No live mutation

Concept Deep Dives

Use these expandable windows for quick study, mentoring, and executive explanation.

Why does L2 exist?

L2 is the reasoning layer between vocabulary and advanced attack-path modeling. A learner should understand how permissions are evaluated before studying cross-account, PassRole, or role chaining paths.

What is effective permission?

Effective permission is the final authority a principal actually has after identity policies, resource policies, boundaries, session policies, SCPs, and explicit denies are evaluated together.

How should students study this track?
  • Start with the current L2 LAB.
  • Use the visual model to reason through allow and deny paths.
  • Then move into the L3 Principal Identity Track.
What should executives understand?

Identity risk is often created by permission composition, not a single bad setting. L2 explains why cloud authorization must be reviewed as a decision system.

Current LAB

The first active L2 LAB teaches IAM policy evaluation and effective-permission reasoning.

AWS IAM Policy Evaluation Effective permissions, explicit deny, boundaries, SCPs, and authorization decision reasoning. AWS Permission Boundary Basics Maximum authority, delegated administration, boundary limits, and effective-permission control. AWS SCP Guardrail Reasoning Organization-level maximum authority, multi-account guardrails, and SCP decision reasoning. AWS Resource Policy Evaluation Resource-side authorization, trust policies, cross-account access, and effective decision reasoning. AWS S3 Public Access Risk Applied storage exposure reasoning across bucket policy, Block Public Access, ACL history, and guardrails. AWS KMS Key Policy Evaluation Cryptographic authorization across key policies, grants, encryption context, and IAM permissions. AWS Secrets Manager Access Evaluation Secret retrieval reasoning across IAM permissions, resource policies, KMS decrypt authority, and guardrails. AWS Lambda Execution Role Risk Workload identity risk across function control, iam:PassRole, execution roles, Secrets Manager, and KMS. AWS CloudTrail Detection Reasoning Evidence reasoning across PassRole, AssumeRole, Lambda updates, Secrets Manager access, and KMS decrypt activity.

Executive Study Guide

The AWS L2 Authorization Model guide summarizes the six-lab intermediate curriculum into one executive, mentor, and student-facing learning artifact.

Open AWS L2 Authorization Model Executive summary, visual authorization model, study paths, and all six L2 LAB links.

Coming Next

These planned L2 LABs expand the intermediate identity lane without jumping directly into L3 Principal scenarios.

Learning Ladder

The L2 Intermediate track is the bridge between foundational vocabulary and Principal LAB reasoning. 

L1: AWS IAM Basics
    ↓
L2: AWS Intermediate Identity Track
    ├── AWS IAM Policy Evaluation
    ├── AWS Permission Boundary Basics
    ├── AWS SCP Guardrail Reasoning
    ├── AWS Resource Policy Evaluation
    ├── AWS S3 Public Access Risk
    ├── AWS KMS Key Policy Evaluation
    ├── AWS Secrets Manager Access Evaluation
    ├── AWS Lambda Execution Role Risk
    └── AWS CloudTrail Detection Reasoning
    ↓
L3: AWS Principal Identity Track
    ├── Cross-Account Role Escalation
    ├── iam:PassRole Privilege Escalation
    └── Role Chaining Escalation

Governance Boundary

This track is educational, read-only, and deterministic. 

Runtime = source of truth
OPA = decision authority
Aegis = bounded intelligence
Frontend = rendering only
  • Does not exploit AWS
  • Does not mutate infrastructure
  • Does not deploy live resources
  • Does not issue runtime tokens
  • Does not create runtime sessions
  • Does not override OPA

Source Artifacts

tracks/aws-intermediate-identity/index.html L2 Intermediate track index page.
aws-iam-policy-evaluation Current active L2 LAB.