AWS / IAM Glossary

AWS / IAM Glossary

The glossary explains how cloud identities, roles, and configurations are classified, how high-impact identities are identified, and how privilege levels affect security within AWS environments.

AWS / IAM Objects

FSProtect analyzes the following identity and configuration objects within AWS environments.

• Users

• Groups

• Roles

• Policies

• Access Keys

• Accounts

• Organizations

Tier 0 (AWS / IAM)

What "Tier 0" Means in AWS

Tier 0 identities in AWS represent control over the entire AWS account or organization and its identity control plane. Any identity, role, or policy that can manage authentication, authorization, role assignments, or security policies at the account or organization level is considered Tier 0.

Compromise of a Tier 0 identity can result in full control over users, groups, roles, policies, and cloud resources within the account or organization.

For this reason, Tier 0 identities must be tightly protected and managed only through secure administrative access by the most-trusted administrators.

Which AWS Objects Are Always Tier 0

The following AWS / IAM objects are always considered Tier 0 due to their ability to control the account-wide identity and security boundary.

• AWS Root Account

• IAM users or roles with AdministratorAccess policy

• IAM identities with iam:* or *:* permissions on all resources

• Master account of an AWS Organization

• IAM identities with the ability to manage SCPs (Service Control Policies)

How AWS Objects Get Their Tier

In AWS environments, the tier of an object is determined by the scope of permissions, policy attachments, and relationships to Tier 0 identities.

Objects that are not inherently Tier 0 can become Tier 0 or Privileged through direct or indirect policy attachments, permission boundaries, assume role chains, or control over Tier 0 identities.

FSProtect determines the effective tier of AWS objects by analyzing policy documents, permission scopes, assume role relationships, and privilege chains during AWS scans.

Privileged (AWS / IAM)

Privileged objects in AWS are identities, roles, or policies that have high-impact permissions over AWS / IAM resources or security controls, but do not represent full account-level control.

These objects can significantly affect users, roles, policies, or security settings and may be leveraged to indirectly compromise Tier 0 identities.

FSProtect marks the following types of objects as Privileged in AWS environments:

• IAM roles with high-impact administrative permissions

• Identities assigned policies that manage users, roles, or security configurations

• IAM roles with broad assume role permissions across accounts

• Objects with permissions that can modify privileged identities or policies

Unprivileged (AWS / IAM)

Unprivileged objects in AWS are identities and roles that do not have elevated administrative permissions and cannot directly or indirectly compromise Tier 0 or Privileged objects.

These objects typically have limited scope and impact within the AWS / IAM environment.

All AWS objects that are not classified as Tier 0 or Privileged are considered Unprivileged by FSProtect.

Shadow Admin (AWS / IAM)

Shadow Admin objects in AWS are identities, roles, or policies that are not explicitly classified as Tier 0 or Privileged, but can indirectly compromise Tier 0 identities or gain high-impact control through policy attachments, assume role chains, or privilege escalation paths.

These objects may enable privilege escalation paths that result in account-level or organization-level impact without being immediately obvious as administrative identities.

FSProtect identifies AWS Shadow Admins by analyzing policy documents, permission scopes, assume role relationships, and indirect control paths within the AWS / IAM environment.