I found this awesome brisk, one-hour, self-paced tutorial on finding & avoiding security gotchas in your AWS setup. I learned a lot going through it. Highly recommend this for your AWS teams. Go to: flaws
Through a series of levels you’ll learn about common mistakes and gotchas when using Amazon Web Services (AWS). The author (Scott Piper) provides a series of hints that will teach you how to discover the information you’ll need to further yourselves to the next level. If you don’t want to actually run any commands, you can just keep following the hints which will give you the solution to the next level. At the start of each level, you’ll learn how to avoid the problem the previous level exhibited.
It is common to give people and entities read-only permissions such as the SecurityAudit policy. The ability to read your own and other’s IAM policies can really help an attacker figure out what exists in your environment and look for weaknesses and mistakes.
Avoiding this mistake
Don’t hand out any permissions liberally, even permissions that only let you read meta-data or know what your permissions are.
Also published on Medium.