Questions tagged [amazon-iam]
IAM is Amazon Web Services' Identity and Access Management service
265
questions
35
votes
6
answers
39k
views
Can you require MFA for AWS IAM accounts?
Is it possible to require Multi-factor Authentication (MFA) be enabled for specific/all IAM accounts in Amazon Web Services?
There are options for password requirements and it's clear how one can ...
27
votes
9
answers
34k
views
Is it possible to restrict AWS users/accounts to a specific region?
We run a number of AWS services in the eu-west-1 region. Unfortunately it seems that a lot of our developers and other employees who need to create temporary resources forget about this aspect of AWS ...
25
votes
1
answer
21k
views
How to let user upload files to S3 bucket, but not overwrite or delete?
I have the following IAM policy for a user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1395161912000",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
...
21
votes
2
answers
53k
views
How to specify an IAM role for an Amazon EC2 instance being launched via the AWS CLI?
I am using the "aws ec2 run-instances" command (from the AWS Command Line Interface (CLI)) to launch an Amazon EC2 instance. I want to set an IAM role for the EC2 instance I am launching. The IAM ...
20
votes
3
answers
20k
views
Confused by the role requirement of ECS
I am trying to set up a ECS but so far I have encountered a few permission issue for which I have created some questions on this forum already.
I think I am stuck so far because honestly I cannot ...
18
votes
6
answers
32k
views
Use IAM to Allow User to Edit AWS / EC2 Security Groups?
I am trying to grant an IAM group the ability to edit our EC2 Security Groups, but I have been unable to get this working without granting access to everything in EC2.
I have tried several versions ...
18
votes
3
answers
7k
views
Amazon Route 53, restrict IAM user access to single record set
I would like to programmatically change the CNAME of a Record Set inside an Hosted Zone on Amazon Route 53, but I would like to restrict the access of the user ONLY to that record set. For what I have ...
14
votes
3
answers
29k
views
Which permissions/policies for IAM role to be used with CloudWatch monitoring script
With CloudWatch monitoring script (mon-put-instance-data.pl) it's possible to specify a IAM role name to provide AWS credentials (--aws-iam-role=VALUE).
I'm creating a IAM role for this purpose (to ...
12
votes
5
answers
22k
views
AWS IAM won't let my users change their passwords
My password policy is configured to allow users to change their passwords, but when I create a new user with the "must change password" option, the user gets told they need "iam:ChangePassword" ...
11
votes
2
answers
1k
views
Managing IAM security credentials for multiple docker containers
Within plain EC2 environment, managing access to other AWS resources is fairly straightforward with IAM roles and credentials (automatically fetched from instance metadata). Even easier with ...
11
votes
3
answers
5k
views
Is it possible to send email via the amazon ses smtp service with a iam role account?
I have an IAM role with the following policy attached:
{
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
As you can see, full access is granted....
10
votes
4
answers
28k
views
Cloudformation can I create a new role referencing an existing policy?
At the moment I have a shared S3 bucket which has specific access to particular key paths (i.e. folders) for different instances. I've been able to create instance profile with my new role and test no ...
10
votes
2
answers
14k
views
AWS add option group
I asked this on the AWS forum but not getting much traction. My root problem is that I'm trying to restore a MS SQL Server RDS database and getting the error message "Database backup/restore ...
10
votes
2
answers
10k
views
Give EC2 IAM role read access to S3 bucket
I have an AWS Elastic Beanstalk Rails app that I am configuring via the config script to pull some files from an S3 bucket. When I start up the application, I keep receiving the following error in the ...
8
votes
4
answers
21k
views
How to know if an AWS IAM role is actually being used
I'm doing some cleanup on an AWS account and I see many roles that I'm almost positive are not being used. The account has many services being used so a manual check is impractical.
Is there a way to ...
8
votes
3
answers
18k
views
What is the permission for a IAM user to create a ECR repository?
My IAM user is getting this error
User: arn:aws:iam::123456789:user/admin is not authorized to perform:
ecr:CreateRepository on resource: *
when I try to create a repository.
I have already grant ...
8
votes
1
answer
2k
views
AWS: How to figure out where an explicit deny is coming from?
So my manager have left the company a few months back, leaving me to manage things on my own, and now, I'm looking through cloud trail events, and found that in one of our accounts, I have an explicit ...
8
votes
1
answer
15k
views
How do I generate an IAM policy for making snapshots?
I have volumes mounted on EC2 instances of which I would like to make snapshots.
I created a new IAM user with the following policy:
{
"Statement": [
{
"Sid": "...",
"Effect": "...
8
votes
1
answer
4k
views
AWSLambdaExecute policy definition
Foreword: I'm not asking for configuration help. My use case is covered and working fine. This is a theoretical question.
On AWS there is a policy called AWSLambdaExecute which is defined as follows:
...
8
votes
4
answers
27k
views
IAM policy to restrict access to one VPC
I am trying to restrict users to a single VPC. I went through Controlling Access to Amazon VPC Resources and came up with the following policy but it does not work. Can someone point out the errors in ...
8
votes
2
answers
201
views
Automating the MFA Device Activation for IAM Users
I am creating more than 20 IAM users and I want to enable virtual MFA device for them.
Is there any way I can do it at once for all of them or any way to automate this task ?
I want to make it ...
7
votes
1
answer
3k
views
Why does my created Amazon IAM user get "We can not find an account with that email address" when trying to log in?
In the Amazon IAM Management Console, I created a new IAM user, and assigned that user permissions and a password.
However, when an attempt to log in with that new IAM user is made via the Amazon AWS ...
7
votes
3
answers
6k
views
Impossible to delete AWS backup vault, backup plans?
I swear, I've read all the docs I can find, and have tried everything including the AWS policy generator UI and manually editing policy JSON, but no matter what I try, when I try to delete any of ...
7
votes
2
answers
558
views
generate permissions for cloudformation stack deployment
I have CloudFormation stack, which is frequently updated by a script (changing source AMIs for launch configuration). I would love to have it deployed by the same script, executed by non-privileged ...
7
votes
1
answer
3k
views
How can one configure an AWS ElasticSearch access policy using CloudFormation?
The AWS documentation on ElasticSearch access control talks about how to grant access to the ES domains subresources while preventing changes to the domain's configuration by creating an ES domain ...
6
votes
2
answers
5k
views
Restrict the visibility of EC2 instances using IAM accounts
I'm looking for a way to restrict the visibility ec2 instances to certain IAM accounts. I'd really like a way for a particular account to only be able to see the instances that it has created i.e. ...
6
votes
3
answers
9k
views
Getting "Fargate requires task definition to have execution role ARN to support ECR images." when creating Fargate task but the role is defined
I am trying to deploy a very simple web application to AWS Fargate.
I have pushed a docker image of the backend of the application to ECR and I am trying to setup a Fargate task definition for the ...
6
votes
2
answers
6k
views
Amazon AWS IAM Policy for single VPC Subnet
I want to create an IAM policy that allows a user deploy instances as follows:
They can only use 1 AMI
They can only deploy to 1 specific VPC subnet
They can only use 1 specific VPC security group
...
6
votes
2
answers
2k
views
AWS elastic beanstalk: Errno 404 downloading file from S3 on deployment
I'm following the docs on fetching certificates from s3 when a new instance is deployed to elastic beanstalk. The instructions are fairly straightforward: create a config file under app-root/....
6
votes
3
answers
3k
views
Determine IAM requirements for Cloudformation Stack
I'm currently developing and launching a relatively simple cloudformation stack. Just some simple RDS stuff, triggered through and external CI+CD service.
However, my current cycle for development is ...
6
votes
1
answer
5k
views
Create an IAM Policy that allows everything except IAM except PassRole
I'm attempting to modify an IAM Policy so that users can associate an IAM Role with EC2 instances that allows Read Only rights to our S3 buckets.
Our teams do quite a bit of R&D with AWS, and so ...
6
votes
1
answer
6k
views
Why does AWS Lambda need to pass ecsTaskExecutionRole to ECS task
I am writing an AWS Lambda function to trigger an ECS Fargate task. I am following the example provided at Run tasks with AWS Fargate and Lambda. While my setup works, there is one of the parts ...
6
votes
2
answers
7k
views
I can't upload server certificate on AWS IAM
I got AWS iam working on my server, and trying to upload some certificates:
aws iam upload-server-certificate --server-certificate-name domain2014
--certificate-body file:///var/www/html/certificate....
5
votes
1
answer
1k
views
How can I tell where an Amazon AWS key is being used?
I have inherited an Amazon AWS environment in which the Root account key has been widely distributed for the purposes of making backups to S3 buckets.
I need to track down where the key is being used,...
5
votes
2
answers
7k
views
Getting files from an s3 bucket using IAM role credentials
I am trying to retrieve some files from a private s3 bucket to a filesystem location elastic beanstalk ec2 instance, but with no success.
I've created a bucket named dev-config containing a file ...
5
votes
1
answer
9k
views
ElasticBeanstalk permissions needed to deploy new version via AWS CLI
I have an IAM policy setup that I thought provided the right permissions to deploy a new version to an Elastic Beanstalk application. I'm still getting InsufficientPrivilegesException, specifically:
...
5
votes
1
answer
6k
views
In AWS IAM, how do you write a policy to allow all actions?
I've read the AWS IAM example policies but don't see an example for allowing a group to do everything.
I'm trying:
{
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"...
5
votes
1
answer
9k
views
AWS Permissions: Lambda access Denied to S3
I have created a Lambda Python function through AWS Cloud 9 but have hit an issue when trying to write to an S3 bucket from the Lambda Function. When I test in Cloud 9 the Python codes runs fine and ...
5
votes
1
answer
4k
views
How can I chain AWS IAM AssumeRole API calls?
There are a number of AWS accounts which I don't control. I've had the account owners deploy an IAM Role, TrustingSecurityAuditor, into their accounts which grants the right to assume the ...
5
votes
1
answer
882
views
IAM Action for `Get-EC2Instance` command in Powershell SDK
Calling Get-EC2Instance from EC2 instance and getting
Get-EC2Instance : You are not authorized to perform this operation.
Which IAM action do I need to add to my policy?
4
votes
5
answers
6k
views
Ansible AWS dynamic inventory: `./ec2.py --list` unauthorized
I'm trying to use Ansible's ./ec2.py --list --refresh-cache to list my AWS EC2 instances.
Via documentation, I've run through this checklist:
AWS (docs via Amazon's Controlling Access to Amazon EC2 ...
4
votes
2
answers
3k
views
Restrict access to S3 bucket folders to specific website users? (not using IAM Users)
I have a website where users need to log in. They can upload and delete their own pictures BUT these pictures are supposed to be private so images are not set to public that anyone can view.
I know ...
4
votes
1
answer
2k
views
Required IAM permissions for ec2.requestSpotInstances?
I'm trying to set permissions on an IAM role that will submit a new spot instance request if needed. It will be used by a Lambda function.
The code does the following AWS API calls:
ec2....
4
votes
2
answers
3k
views
How can I give an AWS IAM user permissions to manage his own security credentials?
Specifically, I want the user to be able to create/delete his own access keys ("Action": ["iam:*AccessKey*"]) in the AWS console, but without giving them a full user list view in the IAM dashboard.
...
4
votes
1
answer
5k
views
How can I use IAM pollicies to restrict a user to only launch instances with a specific set of AMIs?
I have the AMIs I want to allow tagged with the "type" tag.
Here's the policy I tried:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:...
4
votes
4
answers
2k
views
Creating temporary access keys for federeated IAM users
We have set up IAM roles that allow federated users that are authenticated with Okta to gain access to the AWS Console.
Some of the users need temporary AWS access keys to use the AWS command line ...
4
votes
2
answers
2k
views
Failed registering Scalable Target when defining auto scale option for ECS
But I am getting this error:
Failed registering Scalable Target
Scalable Target could not register
scalable target: 1 validation error detected: Value '' at 'roleARN'
failed to satisfy ...
3
votes
4
answers
5k
views
AWS IAM: Restrict Console Access to only One Instance
I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.
So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by ...
3
votes
1
answer
10k
views
Is it possible to grant a "read everything" role in AWS?
Is there a default policy that can provide read-only access to all services with AWS? Is there are naming convention for permissions that could be followed such as "Allow" : "Get*" ...
3
votes
1
answer
9k
views
AWS IAM Roles: What is a trusted entity exactly?
I have a role attached to a LaunchConfiguration for an EC2 instance, that gives the EC2 instance privs to do certain things like do Cloudwatch logs (the context isn't important to the question). In ...