> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/readme/glossary/aws-iam-glossary.md). # AWS / IAM Glossary **AWS / IAM Glossary** The glossary explains how cloud identities, roles, and configurations are classified, how high-impact identities are identified, and how privilege levels affect security within AWS environments. *** **AWS / IAM Objects** FSProtect analyzes the following identity and configuration objects within AWS environments. * Users * Groups * Roles * Policies * Access Keys * Accounts * Organizations *** **Tier 0 (AWS / IAM)** **What "Tier 0" Means in AWS** Tier 0 identities in AWS represent control over the entire AWS account or organization and its identity control plane. Any identity, role, or policy that can manage authentication, authorization, role assignments, or security policies at the account or organization level is considered Tier 0. Compromise of a Tier 0 identity can result in full control over users, groups, roles, policies, and cloud resources within the account or organization. For this reason, Tier 0 identities must be tightly protected and managed only through secure administrative access by the most-trusted administrators. **Which AWS Objects Are Always Tier 0** The following AWS / IAM objects are always considered Tier 0 due to their ability to control the account-wide identity and security boundary. * AWS Root Account * IAM users or roles with `AdministratorAccess` policy * IAM identities with `iam:*` or `*:*` permissions on all resources * Master account of an AWS Organization * IAM identities with the ability to manage SCPs (Service Control Policies) **How AWS Objects Get Their Tier** In AWS environments, the tier of an object is determined by the scope of permissions, policy attachments, and relationships to Tier 0 identities. Objects that are not inherently Tier 0 can become Tier 0 or Privileged through direct or indirect policy attachments, permission boundaries, assume role chains, or control over Tier 0 identities. FSProtect determines the effective tier of AWS objects by analyzing policy documents, permission scopes, assume role relationships, and privilege chains during AWS scans. *** **Privileged (AWS / IAM)** Privileged objects in AWS are identities, roles, or policies that have high-impact permissions over AWS / IAM resources or security controls, but do not represent full account-level control. These objects can significantly affect users, roles, policies, or security settings and may be leveraged to indirectly compromise Tier 0 identities. FSProtect marks the following types of objects as Privileged in AWS environments: * IAM roles with high-impact administrative permissions * Identities assigned policies that manage users, roles, or security configurations * IAM roles with broad assume role permissions across accounts * Objects with permissions that can modify privileged identities or policies *** **Unprivileged (AWS / IAM)** Unprivileged objects in AWS are identities and roles that do not have elevated administrative permissions and cannot directly or indirectly compromise Tier 0 or Privileged objects. These objects typically have limited scope and impact within the AWS / IAM environment. All AWS objects that are not classified as Tier 0 or Privileged are considered Unprivileged by FSProtect. *** **Shadow Admin (AWS / IAM)** Shadow Admin objects in AWS are identities, roles, or policies that are not explicitly classified as Tier 0 or Privileged, but can indirectly compromise Tier 0 identities or gain high-impact control through policy attachments, assume role chains, or privilege escalation paths. These objects may enable privilege escalation paths that result in account-level or organization-level impact without being immediately obvious as administrative identities. FSProtect identifies AWS Shadow Admins by analyzing policy documents, permission scopes, assume role relationships, and indirect control paths within the AWS / IAM environment. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/readme/glossary/aws-iam-glossary.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.