Questions tagged [amazon-iam]
IAM is Amazon Web Services' Identity and Access Management service
272 questions
0
votes
0
answers
14
views
Use AWS Managed AD in the Delegated Admin account as the identity source for IAM Identity Center - Possible?
Goal: I'm trying to switch IAM Identity Center (IIC) to use an AWS Managed Active Directory (MAD) as its identity source.
I'm using AWS Organizations as well. I'd prefer not to deploy MAD into the AWS ...
- 402
0
votes
0
answers
17
views
Correlate CloudTrail EventName with IAM Permission name
I am trying to map CloudTrail EventNames, like "DescribeRegions" to an IAM Permissions, such as ec2:describeregions. With the event source field, sometimes I can just split the hostname off ...
- 103
0
votes
0
answers
94
views
Can you allow S3 HeadBucket without granting unrestricted access to list objects?
This feels like a silly question or like I am missing a simple solution. However, I have an IAM role which grants permission to list objects only in some prefixes in my bucket. Listing is done ...
- 1
0
votes
1
answer
39
views
Is it necessary to establish an account-level trust relationship between two AWS accounts for cross-account operations to succeed?
Am having some difficulties getting a few things working with cross-account data copies. Specifically, I'm trying to clone an S3 bucket from one AWS account (in eu-west-1) to another (in eu-west-2).
I'...
- 207
0
votes
1
answer
39
views
Access CodeArtifact from inside an EC2 instance
0
I'm experimenting with AWS Services to build my project, a backend Java using Docker for containers and Maven for dependencies, and Angular 16 for my front end, right now I have a VPC with 6 subnets,...
- 101
0
votes
0
answers
29
views
AWS Assume role and test on root user on linux
I try to create with certbot a new certificate with route53 plugin and dns01 challenge; but when i lunch
aws sts assume-role --role-arn arn:aws:iam::xxxxxxxx:role/EC2CertbotRole --role-session-name &...
0
votes
0
answers
55
views
How should I behave when giving a AWS Permission Set | Handling Policies to users
Context:
I've been given the task to manage the AWS IAM Identity Center (user, groups, accounts, permission sets, etc.) of my company. We have multiple developer companies that implement solutions to ...
0
votes
0
answers
21
views
How can I configure an AWS user so that they are not allowed to create an S3 bucket outside the us-west-2 region?
How can I configure an AWS user so that they are not allowed to create an S3 bucket outside the us-west-2 region?
- 1,292
0
votes
0
answers
110
views
Cant restrict SMTP connection by IP in Amazon SES
I use Amazon SES to send transactional emails (using SMTP connection) from my app and I wanna improve the credentials security by restricting access from specific IPs.
I've created an IAM Policy for ...
- 101
0
votes
0
answers
93
views
AWS IAM policy for partial username match (extract username from SSO)
We are using single sign-on for AWS users, so when a user logs in they assume a role, and they don't have an actual IAM user account.
We use CodeCommit, which requires an SSH key added to an IAM user.
...
- 1,185
0
votes
0
answers
55
views
AWS CodeBuild user doesn't take on service role
I am working on setting up a build project in CodeBuild that creates a Docker container from a GitHub repo, and pushes it to ECR. This build process uses a container built previously that's stored in ...
- 101
0
votes
0
answers
32
views
AWS Automatic IAM Roles for Service Users
I have an EC2 instance that has an assigned/assumed role. When I run:
aws sts get-caller-identity
as the main login user or with sudo it returns the account information expected. However, I have a ...
- 123
0
votes
1
answer
28
views
How to get friend/business partner to view and edit Lex bots with me in AWS?
Long story short, I want my friend who's also my partner in my startup to help me with developing, testing, and deploying AI chatbots in Amazon Lex via AWS. I have him registered as a user in Identity ...
user1069212
0
votes
1
answer
57
views
Local terraform repository, remote ec2 with assumed role
My current setup is:
My local machine (actually one for each developper)
A git repository containing my terraform configuration
An EC2 instance which assumes an IAM role which grants it permissions ...
- 101
1
vote
0
answers
40
views
AWS API Gateway + Cognito + IAM
I'm working on an API for my company. I'm trying to restrict external users from accessing specific methods of a specific endpoint using IAM + Cognito. Currently I have a single Cognito user pool, ...
0
votes
1
answer
1k
views
Cross Account SSM session: AccessDeniedException
I have two AWS accounts and one role in each account: Account-A have RoleA and Account-B have RoleB.
RoleA will assume the RoleB to be able to connect in an EC2 instance in Account-B through ssm start-...
- 164
0
votes
2
answers
293
views
How can I set up AWS Client VPN using IAM roles for authentication?
Context: I am trying to set up Postgres RDS in a private_isolated subnet of a VPC. I want to use pgAdmin to do work on it, which means I either need a bastion or a VPN connection. A bastion requires a ...
- 151
1
vote
1
answer
712
views
AWS IAM: deny users from creating policies on specific resources
I want to be able to give my admin users the permission to create policies in IAM, but I want to make sure that they aren't able to create a policy that affects a specific resource.
To be more ...
- 113
0
votes
1
answer
268
views
How to fix permission error of Ebs volume using Amazon Data lifecycle manager?
I applied the terraform code in this link, which contains code to apply the specific roles and permission s to service dlm lifecycle for ebs volumes.
But still I am getting access errors.
Please ...
0
votes
0
answers
144
views
Switch to a different AWS accounts in the UI
I currently have AWS configuration set up with my access key id and secret access key (i.e. I see this when going to 'aws configure' in the CLI). I then login through my company's OKTA to then access ...
- 101
0
votes
0
answers
119
views
Mimic user permissions on AWS EC2 instances using IAM roles
I'm setting up an AWS account with several users. Each of these users has policies attached that restrict their access to specific S3 buckets/objects and the EC2 instance types / Autoscaling Groups ...
- 101
0
votes
1
answer
856
views
Is it impossible to access rds and elasticache redis in AWS fargate only by setting a role?
I tried to access the aws service rds and elasticache redis through fargate's task role.
I connected the full access of the service to the task role, but it was not connected, so I allowed the subnet ...
- 15
0
votes
1
answer
118
views
Limit what kind of policies and roles an admin role can create in AWS
Is there a way in AWS to limit what kind of roles and policies another role can create?
In my setup, I have two kinds of admin roles: AccountAdmin and InfraAdmin. The AccountAdmin one having more ...
- 103
0
votes
0
answers
46
views
How to assign an IAM role having the same permission set as the IPs have?
How to update the IAM policy below so that the IAM role, arn:aws:iam::7574333677569:role/dev-abc-webserver, also have permissions?
{
"Version": "2012-10-17",
"Id":...
- 59
2
votes
1
answer
3k
views
How do i fix terraform invalid JSON policy
I am trying to use a file which contains load balancer iam policy for my AWS in terraform. However when i run the terraform script, i get an error stating:
Error: "policy" contains an ...
- 123
1
vote
1
answer
2k
views
EC2 instance won't recognize IAM role?
I'm trying to download ECR images on my EC2 instance without having to provide a credentials file. So I created a role with the policy AmazonEC2ContainerRegistryReadOnly and attached to my running ...
- 81
1
vote
1
answer
2k
views
RDS PostgreSQL Import+Export to/from S3
Is it possible to enable both importing and exporting with an RDS PostgreSQL instance to an S3 bucket? I've been able to use the following pattern to enable one or the other with consistent success:
...
- 394
1
vote
1
answer
708
views
How can I call "complete-lifecycle-action"?
There is an AWS EC2 instance which is launched by an auto-scaling-group. I wish to put this instance to Pending state during initialization.
This is very easy with the lifecycle hooks:
This hook will ...
- 201
0
votes
1
answer
509
views
A user is blocked from using MFA though I added the permissions for their AWS IAM account
I hold admin powers on one of the AWS accounts that we use at the company where I work. I am trying to make MFA mandatory for all users. I followed this tutorial:
https://docs.aws.amazon.com/IAM/...
- 163
0
votes
1
answer
230
views
Automatic EC2 Role Assignment
Trying to understand AWS IAM resources/concepts a little better. I know there is a way to configure an EC2 (either possibly via its underlying AMI or a launch template) so that when it launches for ...
- 153
2
votes
1
answer
2k
views
Pod assigned node role instead of service account role on AWS EKS
First some info about the setup:
EKS version: 1.21
eksctl version: 0.77.0
AWS Go SDK verion: v1.44.28
Deploying using kubectl
I have a k8s cluster on AWS EKS on which I am deploying a custom k8s ...
- 141
1
vote
2
answers
881
views
Sharing an AWS "instance role" across accounts, as with other resources?
What works
We have several EC2 instances that pull things out of an S3 bucket on boot (and at other times). To allow this, we have an IAM policy granting read-only access...
"Effect": "...
- 111
1
vote
1
answer
2k
views
S3 access control based on bucket tags
i hope you can help me out. I have read a couple of docs now, and I am still unsure whether this actually works.
I want to give access in different levels to AWS users based on S3 tags.
Example:
S3 ...
- 203
1
vote
1
answer
1k
views
Quicksight Error: This user name already exists in this account
When I want to login to view my Quicksight dashboard I get this error:
This user name already exists in this account.
Contact your QuickSight administrator, and ask
them to invite you with a unique ...
- 157
0
votes
1
answer
311
views
Best practice for AWS root account or superuser?
Normally, we have the rule of 3 people having superuser access with 3 username/passwords and if anyone is ever offboarded(they leave or are fired), on vacation, out sick, different time-zone, someone ...
- 951
7
votes
3
answers
10k
views
Getting "Fargate requires task definition to have execution role ARN to support ECR images." when creating Fargate task but the role is defined
I am trying to deploy a very simple web application to AWS Fargate.
I have pushed a docker image of the backend of the application to ECR and I am trying to setup a Fargate task definition for the ...
- 191
0
votes
1
answer
1k
views
AWS Policy to Read/write RDS
In my scenario , I want a policy that will allow reading and writing of abc-database-backups/rds/postgresql-backup on S3? We'll want the my servers to have that access added.
Is creating a role and ...
- 1
1
vote
1
answer
586
views
Safely store AWS IAM User Keys (Access and Secret) created by IaC
I've the following setup:
Infrastructure is setup using AWS CDK;
I've one Stack/Environment (Production, Staging...);
Each Stack has a different S3 Bucket (used for website hosting);
I've a Stack ...
2
votes
1
answer
245
views
How do you set a self-destruct or maximum uptime in AWS?
Situation
We have a sandbox AWS account for trying things out. It is not for production, purely just for playing around with all the toys that AWS provide. We want to encourage everyone to explore and ...
- 141
0
votes
1
answer
91
views
AWS CLI Usage Issue
In our scenario, We previously had some AWS keys. The IAM interface show/showed no usage for it but the employee has been able to upload resources. Could anyone advise how to check if the interface is ...
- 91
0
votes
0
answers
190
views
Individual Local Accounts on AWS
I'm my scenario, Currently, we have all developers connect to ec2 instances using the ec2-user account. Is there a better way to do this so we can see which actions developers take on the machines?
I'...
- 91
0
votes
1
answer
217
views
S3 Logs event Issue
Is there a way to see what actions the 'g2' IAM user is performing in S3, and which IP(s) they are running from? I have already enabled the logging of S3 actions.
One point I’m still not able to ...
- 91
0
votes
0
answers
22
views
AWS IAM user with special permissions
I am having following task to do.
I want to create 10 IAM users each user should have login username and password
and each IAM user should have separate ec2 instance that can not be visible to others.
...
- 15
0
votes
2
answers
294
views
Best Practice for AWS IAM access keys for use with AWS SDK
I want to know the best practice used by big company's for programmatic access for multiple AWS services as there are multiple programs needing access to different-2 services so how it is managed? Did ...
- 49
3
votes
1
answer
10k
views
Is it possible to grant a "read everything" role in AWS?
Is there a default policy that can provide read-only access to all services with AWS? Is there are naming convention for permissions that could be followed such as "Allow" : "Get*" ...
- 217
0
votes
1
answer
366
views
How to use aws-iam-authenticator with remote Terraform Cloud Runs?
I am already successfully using Terraform with the Kubernetes provider to manage various part of and services on an EKS cluster in AWS. I would like to use Terraform Cloud to manage it (and take ...
- 5,262
0
votes
0
answers
515
views
Increasing general AWS console timeout
The AWS console appears to kick you out after 24-hours, and I'd like to increase it slightly. This has nothing to do with SSO. Is this a fundamental requirement or can it be tweaked somewhere?
- 609
1
vote
1
answer
1k
views
What is the new policy action needed to allow the new DescribeSecurityGroupRules
We have IAM policies in place that used to permit the roles to edit a security group rules
{
"Version": "2012-10-17",
"Statement": [
{
"...
- 113
1
vote
0
answers
3k
views
Converting specific folder of S3 into browsable directory list without making it public
I have a bucket that I'd like to access using a browser similar to http://data.openspending.org/
and I'd like only a subfolder to be visible.
So if Bucket1 has multiple folders, I only wanna show and ...
- 113
3
votes
0
answers
1k
views
EKS - Use IAM roles for service accounts on multiple clusters
I am trying to use IAM roles for service accounts in EKS.
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
When it comes to create the IAM role to be assigned to a ...
- 31