Skip to main content

Questions tagged [amazon-iam]

IAM is Amazon Web Services' Identity and Access Management service

Filter by
Sorted by
Tagged with
35 votes
6 answers
39k views

Can you require MFA for AWS IAM accounts?

Is it possible to require Multi-factor Authentication (MFA) be enabled for specific/all IAM accounts in Amazon Web Services? There are options for password requirements and it's clear how one can ...
Joe's user avatar
  • 863
27 votes
9 answers
34k views

Is it possible to restrict AWS users/accounts to a specific region?

We run a number of AWS services in the eu-west-1 region. Unfortunately it seems that a lot of our developers and other employees who need to create temporary resources forget about this aspect of AWS ...
Bruce P's user avatar
  • 2,213
25 votes
1 answer
21k views

How to let user upload files to S3 bucket, but not overwrite or delete?

I have the following IAM policy for a user { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1395161912000", "Effect": "Allow", "Action": [ "s3:ListBucket", ...
Markus Hedlund's user avatar
21 votes
2 answers
53k views

How to specify an IAM role for an Amazon EC2 instance being launched via the AWS CLI?

I am using the "aws ec2 run-instances" command (from the AWS Command Line Interface (CLI)) to launch an Amazon EC2 instance. I want to set an IAM role for the EC2 instance I am launching. The IAM ...
Skaperen's user avatar
  • 1,114
20 votes
3 answers
20k views

Confused by the role requirement of ECS

I am trying to set up a ECS but so far I have encountered a few permission issue for which I have created some questions on this forum already. I think I am stuck so far because honestly I cannot ...
Anthony Kong's user avatar
  • 3,518
18 votes
6 answers
32k views

Use IAM to Allow User to Edit AWS / EC2 Security Groups?

I am trying to grant an IAM group the ability to edit our EC2 Security Groups, but I have been unable to get this working without granting access to everything in EC2. I have tried several versions ...
Chris's user avatar
  • 353
18 votes
3 answers
7k views

Amazon Route 53, restrict IAM user access to single record set

I would like to programmatically change the CNAME of a Record Set inside an Hosted Zone on Amazon Route 53, but I would like to restrict the access of the user ONLY to that record set. For what I have ...
Fabrizio S's user avatar
14 votes
3 answers
29k views

Which permissions/policies for IAM role to be used with CloudWatch monitoring script

With CloudWatch monitoring script (mon-put-instance-data.pl) it's possible to specify a IAM role name to provide AWS credentials (--aws-iam-role=VALUE). I'm creating a IAM role for this purpose (to ...
Céline Aussourd's user avatar
12 votes
5 answers
22k views

AWS IAM won't let my users change their passwords

My password policy is configured to allow users to change their passwords, but when I create a new user with the "must change password" option, the user gets told they need "iam:ChangePassword" ...
scottb's user avatar
  • 221
11 votes
2 answers
1k views

Managing IAM security credentials for multiple docker containers

Within plain EC2 environment, managing access to other AWS resources is fairly straightforward with IAM roles and credentials (automatically fetched from instance metadata). Even easier with ...
Alex B's user avatar
  • 1,794
11 votes
3 answers
5k views

Is it possible to send email via the amazon ses smtp service with a iam role account?

I have an IAM role with the following policy attached: { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } As you can see, full access is granted....
Wren T.'s user avatar
  • 337
10 votes
4 answers
28k views

Cloudformation can I create a new role referencing an existing policy?

At the moment I have a shared S3 bucket which has specific access to particular key paths (i.e. folders) for different instances. I've been able to create instance profile with my new role and test no ...
hughmcmanus's user avatar
10 votes
2 answers
14k views

AWS add option group

I asked this on the AWS forum but not getting much traction. My root problem is that I'm trying to restore a MS SQL Server RDS database and getting the error message "Database backup/restore ...
nasch's user avatar
  • 171
10 votes
2 answers
10k views

Give EC2 IAM role read access to S3 bucket

I have an AWS Elastic Beanstalk Rails app that I am configuring via the config script to pull some files from an S3 bucket. When I start up the application, I keep receiving the following error in the ...
dignoe's user avatar
  • 201
8 votes
4 answers
21k views

How to know if an AWS IAM role is actually being used

I'm doing some cleanup on an AWS account and I see many roles that I'm almost positive are not being used. The account has many services being used so a manual check is impractical. Is there a way to ...
Julian's user avatar
  • 555
8 votes
3 answers
18k views

What is the permission for a IAM user to create a ECR repository?

My IAM user is getting this error User: arn:aws:iam::123456789:user/admin is not authorized to perform: ecr:CreateRepository on resource: * when I try to create a repository. I have already grant ...
Anthony Kong's user avatar
  • 3,518
8 votes
1 answer
2k views

AWS: How to figure out where an explicit deny is coming from?

So my manager have left the company a few months back, leaving me to manage things on my own, and now, I'm looking through cloud trail events, and found that in one of our accounts, I have an explicit ...
Tom Klino's user avatar
  • 651
8 votes
1 answer
15k views

How do I generate an IAM policy for making snapshots?

I have volumes mounted on EC2 instances of which I would like to make snapshots. I created a new IAM user with the following policy: { "Statement": [ { "Sid": "...", "Effect": "...
juuga's user avatar
  • 203
8 votes
1 answer
4k views

AWSLambdaExecute policy definition

Foreword: I'm not asking for configuration help. My use case is covered and working fine. This is a theoretical question. On AWS there is a policy called AWSLambdaExecute which is defined as follows: ...
Notinlist's user avatar
  • 217
8 votes
4 answers
27k views

IAM policy to restrict access to one VPC

I am trying to restrict users to a single VPC. I went through Controlling Access to Amazon VPC Resources and came up with the following policy but it does not work. Can someone point out the errors in ...
Satie Sharma's user avatar
8 votes
2 answers
201 views

Automating the MFA Device Activation for IAM Users

I am creating more than 20 IAM users and I want to enable virtual MFA device for them. Is there any way I can do it at once for all of them or any way to automate this task ? I want to make it ...
Yeleshwar's user avatar
7 votes
1 answer
3k views

Why does my created Amazon IAM user get "We can not find an account with that email address" when trying to log in?

In the Amazon IAM Management Console, I created a new IAM user, and assigned that user permissions and a password. However, when an attempt to log in with that new IAM user is made via the Amazon AWS ...
Jon Schneider's user avatar
7 votes
3 answers
6k views

Impossible to delete AWS backup vault, backup plans?

I swear, I've read all the docs I can find, and have tried everything including the AWS policy generator UI and manually editing policy JSON, but no matter what I try, when I try to delete any of ...
Tom Wilson's user avatar
7 votes
2 answers
558 views

generate permissions for cloudformation stack deployment

I have CloudFormation stack, which is frequently updated by a script (changing source AMIs for launch configuration). I would love to have it deployed by the same script, executed by non-privileged ...
stimur's user avatar
  • 894
7 votes
1 answer
3k views

How can one configure an AWS ElasticSearch access policy using CloudFormation?

The AWS documentation on ElasticSearch access control talks about how to grant access to the ES domains subresources while preventing changes to the domain's configuration by creating an ES domain ...
gene_wood's user avatar
  • 555
6 votes
2 answers
5k views

Restrict the visibility of EC2 instances using IAM accounts

I'm looking for a way to restrict the visibility ec2 instances to certain IAM accounts. I'd really like a way for a particular account to only be able to see the instances that it has created i.e. ...
sgargan's user avatar
  • 235
6 votes
3 answers
9k views

Getting "Fargate requires task definition to have execution role ARN to support ECR images." when creating Fargate task but the role is defined

I am trying to deploy a very simple web application to AWS Fargate. I have pushed a docker image of the backend of the application to ECR and I am trying to setup a Fargate task definition for the ...
Brandon's user avatar
  • 181
6 votes
2 answers
6k views

Amazon AWS IAM Policy for single VPC Subnet

I want to create an IAM policy that allows a user deploy instances as follows: They can only use 1 AMI They can only deploy to 1 specific VPC subnet They can only use 1 specific VPC security group ...
Garreth McDaid's user avatar
6 votes
2 answers
2k views

AWS elastic beanstalk: Errno 404 downloading file from S3 on deployment

I'm following the docs on fetching certificates from s3 when a new instance is deployed to elastic beanstalk. The instructions are fairly straightforward: create a config file under app-root/....
AlexanderF's user avatar
6 votes
3 answers
3k views

Determine IAM requirements for Cloudformation Stack

I'm currently developing and launching a relatively simple cloudformation stack. Just some simple RDS stuff, triggered through and external CI+CD service. However, my current cycle for development is ...
SCB's user avatar
  • 161
6 votes
1 answer
5k views

Create an IAM Policy that allows everything except IAM except PassRole

I'm attempting to modify an IAM Policy so that users can associate an IAM Role with EC2 instances that allows Read Only rights to our S3 buckets. Our teams do quite a bit of R&D with AWS, and so ...
Dan Caseley's user avatar
6 votes
1 answer
6k views

Why does AWS Lambda need to pass ecsTaskExecutionRole to ECS task

I am writing an AWS Lambda function to trigger an ECS Fargate task. I am following the example provided at Run tasks with AWS Fargate and Lambda. While my setup works, there is one of the parts ...
user35042's user avatar
  • 2,721
6 votes
2 answers
7k views

I can't upload server certificate on AWS IAM

I got AWS iam working on my server, and trying to upload some certificates: aws iam upload-server-certificate --server-certificate-name domain2014 --certificate-body file:///var/www/html/certificate....
Diego Sarmiento's user avatar
5 votes
1 answer
1k views

How can I tell where an Amazon AWS key is being used?

I have inherited an Amazon AWS environment in which the Root account key has been widely distributed for the purposes of making backups to S3 buckets. I need to track down where the key is being used,...
Garreth McDaid's user avatar
5 votes
2 answers
7k views

Getting files from an s3 bucket using IAM role credentials

I am trying to retrieve some files from a private s3 bucket to a filesystem location elastic beanstalk ec2 instance, but with no success. I've created a bucket named dev-config containing a file ...
diffa's user avatar
  • 141
5 votes
1 answer
9k views

ElasticBeanstalk permissions needed to deploy new version via AWS CLI

I have an IAM policy setup that I thought provided the right permissions to deploy a new version to an Elastic Beanstalk application. I'm still getting InsufficientPrivilegesException, specifically: ...
Sam's user avatar
  • 720
5 votes
1 answer
6k views

In AWS IAM, how do you write a policy to allow all actions?

I've read the AWS IAM example policies but don't see an example for allowing a group to do everything. I'm trying: { "Statement": [ { "Effect": "Allow", "Action": "*", "...
greggles's user avatar
  • 191
5 votes
1 answer
9k views

AWS Permissions: Lambda access Denied to S3

I have created a Lambda Python function through AWS Cloud 9 but have hit an issue when trying to write to an S3 bucket from the Lambda Function. When I test in Cloud 9 the Python codes runs fine and ...
W. Walford's user avatar
5 votes
1 answer
4k views

How can I chain AWS IAM AssumeRole API calls?

There are a number of AWS accounts which I don't control. I've had the account owners deploy an IAM Role, TrustingSecurityAuditor, into their accounts which grants the right to assume the ...
gene_wood's user avatar
  • 555
5 votes
1 answer
882 views

IAM Action for `Get-EC2Instance` command in Powershell SDK

Calling Get-EC2Instance from EC2 instance and getting Get-EC2Instance : You are not authorized to perform this operation. Which IAM action do I need to add to my policy?
jaywayco's user avatar
  • 151
4 votes
5 answers
6k views

Ansible AWS dynamic inventory: `./ec2.py --list` unauthorized

I'm trying to use Ansible's ./ec2.py --list --refresh-cache to list my AWS EC2 instances. Via documentation, I've run through this checklist: AWS (docs via Amazon's Controlling Access to Amazon EC2 ...
Morgan Delaney's user avatar
4 votes
2 answers
3k views

Restrict access to S3 bucket folders to specific website users? (not using IAM Users)

I have a website where users need to log in. They can upload and delete their own pictures BUT these pictures are supposed to be private so images are not set to public that anyone can view. I know ...
Dora's user avatar
  • 341
4 votes
1 answer
2k views

Required IAM permissions for ec2.requestSpotInstances?

I'm trying to set permissions on an IAM role that will submit a new spot instance request if needed. It will be used by a Lambda function. The code does the following AWS API calls: ec2....
Zach Moshe's user avatar
4 votes
2 answers
3k views

How can I give an AWS IAM user permissions to manage his own security credentials?

Specifically, I want the user to be able to create/delete his own access keys ("Action": ["iam:*AccessKey*"]) in the AWS console, but without giving them a full user list view in the IAM dashboard. ...
dorian's user avatar
  • 437
4 votes
1 answer
5k views

How can I use IAM pollicies to restrict a user to only launch instances with a specific set of AMIs?

I have the AMIs I want to allow tagged with the "type" tag. Here's the policy I tried: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:...
fields's user avatar
  • 700
4 votes
4 answers
2k views

Creating temporary access keys for federeated IAM users

We have set up IAM roles that allow federated users that are authenticated with Okta to gain access to the AWS Console. Some of the users need temporary AWS access keys to use the AWS command line ...
thesamet's user avatar
  • 317
4 votes
2 answers
2k views

Failed registering Scalable Target when defining auto scale option for ECS

But I am getting this error: Failed registering Scalable Target Scalable Target could not register scalable target: 1 validation error detected: Value '' at 'roleARN' failed to satisfy ...
Anthony Kong's user avatar
  • 3,518
3 votes
4 answers
5k views

AWS IAM: Restrict Console Access to only One Instance

I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance. So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by ...
ServerInsights's user avatar
3 votes
1 answer
10k views

Is it possible to grant a "read everything" role in AWS?

Is there a default policy that can provide read-only access to all services with AWS? Is there are naming convention for permissions that could be followed such as "Allow" : "Get*" ...
Andrew Theken's user avatar
3 votes
1 answer
9k views

AWS IAM Roles: What is a trusted entity exactly?

I have a role attached to a LaunchConfiguration for an EC2 instance, that gives the EC2 instance privs to do certain things like do Cloudwatch logs (the context isn't important to the question). In ...
spinkus's user avatar
  • 207

1
2 3 4 5 6