The Duplicitous Nature of AWS Identity and Access Management (IAM)
Jason Kao
fwd:cloudsec North America 2025 · Day 2 · Track 2 - Crestone
Jason Kao, founder of Fog Security, delivered a methodical examination of **duplicate IAM permissions** in AWS -- cases where two or more distinct IAM permissions produce the same outcome or effect, but managing or denying one does not necessarily affect the other. This is not about redundant policy statements granting the same permission twice; it is about architecturally different IAM actions that accomplish identical results through separate API paths. The talk covers concrete examples across SQS, SES, KMS, Identity Center (formerly SSO), and AWS Accounts, then explores why these duplicates exist, how AWS has attempted to address them, and why they create serious complexity for prevention, detection, and governance strategies.
AI review
A thorough cataloguing of duplicate IAM permissions that create real blind spots in AWS security policies and detection rules. Not flashy, no exploits dropped, but this is the kind of deep platform knowledge that actually matters when you're trying to build or break through IAM guardrails. The SQS AddPermission vs SetQueueAttributes split is a legitimate detection gap that's probably being missed in production right now.