NEW SANS Stay Sharp Training - Live Online: Quickly sharpen your skills with 2-day management courses. Save 25% thru tomorrow!


To attend this webcast, login to your SANS Account or create your Account.

AWS ID Prefixes: What AWS Doesn’t Cover is What You Need to Know

  • Thursday, September 24, 2020 at 3:30 PM EDT (2020-09-24 19:30:00 UTC)
  • Dan Girard

You can now attend the webcast using your mobile device!



For years AWS has always prided itself on teaching you the cloud via those constructs right from the manual. Typically, as architects come to a new employer the opportunity to build a "greenfield" cloud architecture may not be there. Often, you will need to correct or adjust those current infrastructures or configurations. Having a great background on what these prefixes mean, how to deal with them will provide great dividends. From not only moving the firms architecture forward but also during those tense times where you may be working through an investigative manner within your cloud account.

In this talk we will showcase and go over those prefixes what they mean, how you can get them. Some resource types like S3 for example allow for the use of a unique ID rather than the full principle ARN that many know and understand. We can cover why use of the unique ID is fundamentally a bad idea, and how to handle them should you run into an environment that has them.

Understanding Unique ID Prefixes

IAM uses the following prefixes to indicate what type of entity each unique ID applies to.

Prefix - Resource Type

ABIA - AWS STS service bearer token

ACCA - Context-specific credential

AGPA - Group

AIDA - IAM user

AIPA - Amazon EC2 instance profile

AKIA - Access key

ANPA - Managed policy

ANVA - Version in a managed policy

APKA - Public key

AROA - Role

ASCA - Certificate

ASIA - Temporary (AWS STS) keys

In this web series we will cover methods to diagnose, discover and rectify AROA/AGPA/AIDA unique IDs within an S3 bucket policy. Further we will show to rapidly translate an AROA/AGPA/AIDA unique ID into the AWS Principal ARN that many cloud engineers are comfortable with.

Speaker Bio

Dan Girard

Dan Girard has 24 years of IT experience working for such internet pioneers as: UUNET, Amazon, and AOL. He has worked for multiple branches within the intelligence community and has focused his last decade on security challenges ranging from SELinux hardened appliances to CloudHSM integrations with platforms that do not natively integrate. The past 5 years Dan has been working on cloud security architectures and has reviewed countless architectures, participated in post breach investigations, and incident handling efforts. Currently he works as a cloud security platform architect on behalf of Capital One. 

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.