All Questions
Tagged with amazon-web-services amazon-iam
207
questions
0
votes
0
answers
31
views
AWS IAM policy for partial username match (extract username from SSO)
We are using single sign-on for AWS users, so when a user logs in they assume a role, and they don't have an actual IAM user account.
We use CodeCommit, which requires an SSH key added to an IAM user.
...
0
votes
0
answers
33
views
AWS CodeBuild user doesn't take on service role
I am working on setting up a build project in CodeBuild that creates a Docker container from a GitHub repo, and pushes it to ECR. This build process uses a container built previously that's stored in ...
0
votes
0
answers
26
views
AWS Automatic IAM Roles for Service Users
I have an EC2 instance that has an assigned/assumed role. When I run:
aws sts get-caller-identity
as the main login user or with sudo it returns the account information expected. However, I have a ...
0
votes
1
answer
25
views
How to get friend/business partner to view and edit Lex bots with me in AWS?
Long story short, I want my friend who's also my partner in my startup to help me with developing, testing, and deploying AI chatbots in Amazon Lex via AWS. I have him registered as a user in Identity ...
0
votes
1
answer
53
views
Local terraform repository, remote ec2 with assumed role
My current setup is:
My local machine (actually one for each developper)
A git repository containing my terraform configuration
An EC2 instance which assumes an IAM role which grants it permissions ...
1
vote
0
answers
37
views
AWS API Gateway + Cognito + IAM
I'm working on an API for my company. I'm trying to restrict external users from accessing specific methods of a specific endpoint using IAM + Cognito. Currently I have a single Cognito user pool, ...
0
votes
2
answers
236
views
How can I set up AWS Client VPN using IAM roles for authentication?
Context: I am trying to set up Postgres RDS in a private_isolated subnet of a VPC. I want to use pgAdmin to do work on it, which means I either need a bastion or a VPN connection. A bastion requires a ...
1
vote
1
answer
627
views
AWS IAM: deny users from creating policies on specific resources
I want to be able to give my admin users the permission to create policies in IAM, but I want to make sure that they aren't able to create a policy that affects a specific resource.
To be more ...
0
votes
1
answer
217
views
How to fix permission error of Ebs volume using Amazon Data lifecycle manager?
I applied the terraform code in this link, which contains code to apply the specific roles and permission s to service dlm lifecycle for ebs volumes.
But still I am getting access errors.
Please ...
0
votes
0
answers
86
views
Switch to a different AWS accounts in the UI
I currently have AWS configuration set up with my access key id and secret access key (i.e. I see this when going to 'aws configure' in the CLI). I then login through my company's OKTA to then access ...
0
votes
0
answers
111
views
Mimic user permissions on AWS EC2 instances using IAM roles
I'm setting up an AWS account with several users. Each of these users has policies attached that restrict their access to specific S3 buckets/objects and the EC2 instance types / Autoscaling Groups ...
0
votes
1
answer
761
views
Is it impossible to access rds and elasticache redis in AWS fargate only by setting a role?
I tried to access the aws service rds and elasticache redis through fargate's task role.
I connected the full access of the service to the task role, but it was not connected, so I allowed the subnet ...
0
votes
1
answer
93
views
Limit what kind of policies and roles an admin role can create in AWS
Is there a way in AWS to limit what kind of roles and policies another role can create?
In my setup, I have two kinds of admin roles: AccountAdmin and InfraAdmin. The AccountAdmin one having more ...
0
votes
0
answers
41
views
How to assign an IAM role having the same permission set as the IPs have?
How to update the IAM policy below so that the IAM role, arn:aws:iam::7574333677569:role/dev-abc-webserver, also have permissions?
{
"Version": "2012-10-17",
"Id":...
1
vote
1
answer
2k
views
EC2 instance won't recognize IAM role?
I'm trying to download ECR images on my EC2 instance without having to provide a credentials file. So I created a role with the policy AmazonEC2ContainerRegistryReadOnly and attached to my running ...
1
vote
1
answer
2k
views
RDS PostgreSQL Import+Export to/from S3
Is it possible to enable both importing and exporting with an RDS PostgreSQL instance to an S3 bucket? I've been able to use the following pattern to enable one or the other with consistent success:
...
1
vote
1
answer
622
views
How can I call "complete-lifecycle-action"?
There is an AWS EC2 instance which is launched by an auto-scaling-group. I wish to put this instance to Pending state during initialization.
This is very easy with the lifecycle hooks:
This hook will ...
0
votes
1
answer
455
views
A user is blocked from using MFA though I added the permissions for their AWS IAM account
I hold admin powers on one of the AWS accounts that we use at the company where I work. I am trying to make MFA mandatory for all users. I followed this tutorial:
https://docs.aws.amazon.com/IAM/...
0
votes
1
answer
180
views
Automatic EC2 Role Assignment
Trying to understand AWS IAM resources/concepts a little better. I know there is a way to configure an EC2 (either possibly via its underlying AMI or a launch template) so that when it launches for ...
1
vote
2
answers
794
views
Sharing an AWS "instance role" across accounts, as with other resources?
What works
We have several EC2 instances that pull things out of an S3 bucket on boot (and at other times). To allow this, we have an IAM policy granting read-only access...
"Effect": "...
1
vote
1
answer
2k
views
S3 access control based on bucket tags
i hope you can help me out. I have read a couple of docs now, and I am still unsure whether this actually works.
I want to give access in different levels to AWS users based on S3 tags.
Example:
S3 ...
1
vote
1
answer
916
views
Quicksight Error: This user name already exists in this account
When I want to login to view my Quicksight dashboard I get this error:
This user name already exists in this account.
Contact your QuickSight administrator, and ask
them to invite you with a unique ...
0
votes
1
answer
249
views
Best practice for AWS root account or superuser?
Normally, we have the rule of 3 people having superuser access with 3 username/passwords and if anyone is ever offboarded(they leave or are fired), on vacation, out sick, different time-zone, someone ...
6
votes
3
answers
9k
views
Getting "Fargate requires task definition to have execution role ARN to support ECR images." when creating Fargate task but the role is defined
I am trying to deploy a very simple web application to AWS Fargate.
I have pushed a docker image of the backend of the application to ECR and I am trying to setup a Fargate task definition for the ...
0
votes
1
answer
1k
views
AWS Policy to Read/write RDS
In my scenario , I want a policy that will allow reading and writing of abc-database-backups/rds/postgresql-backup on S3? We'll want the my servers to have that access added.
Is creating a role and ...
1
vote
1
answer
529
views
Safely store AWS IAM User Keys (Access and Secret) created by IaC
I've the following setup:
Infrastructure is setup using AWS CDK;
I've one Stack/Environment (Production, Staging...);
Each Stack has a different S3 Bucket (used for website hosting);
I've a Stack ...
2
votes
1
answer
227
views
How do you set a self-destruct or maximum uptime in AWS?
Situation
We have a sandbox AWS account for trying things out. It is not for production, purely just for playing around with all the toys that AWS provide. We want to encourage everyone to explore and ...
0
votes
1
answer
85
views
AWS CLI Usage Issue
In our scenario, We previously had some AWS keys. The IAM interface show/showed no usage for it but the employee has been able to upload resources. Could anyone advise how to check if the interface is ...
0
votes
0
answers
142
views
Individual Local Accounts on AWS
I'm my scenario, Currently, we have all developers connect to ec2 instances using the ec2-user account. Is there a better way to do this so we can see which actions developers take on the machines?
I'...
0
votes
1
answer
190
views
S3 Logs event Issue
Is there a way to see what actions the 'g2' IAM user is performing in S3, and which IP(s) they are running from? I have already enabled the logging of S3 actions.
One point I’m still not able to ...
0
votes
0
answers
22
views
AWS IAM user with special permissions
I am having following task to do.
I want to create 10 IAM users each user should have login username and password
and each IAM user should have separate ec2 instance that can not be visible to others.
...
0
votes
2
answers
277
views
Best Practice for AWS IAM access keys for use with AWS SDK
I want to know the best practice used by big company's for programmatic access for multiple AWS services as there are multiple programs needing access to different-2 services so how it is managed? Did ...
3
votes
1
answer
10k
views
Is it possible to grant a "read everything" role in AWS?
Is there a default policy that can provide read-only access to all services with AWS? Is there are naming convention for permissions that could be followed such as "Allow" : "Get*" ...
0
votes
1
answer
337
views
How to use aws-iam-authenticator with remote Terraform Cloud Runs?
I am already successfully using Terraform with the Kubernetes provider to manage various part of and services on an EKS cluster in AWS. I would like to use Terraform Cloud to manage it (and take ...
0
votes
0
answers
464
views
Increasing general AWS console timeout
The AWS console appears to kick you out after 24-hours, and I'd like to increase it slightly. This has nothing to do with SSO. Is this a fundamental requirement or can it be tweaked somewhere?
1
vote
0
answers
3k
views
Converting specific folder of S3 into browsable directory list without making it public
I have a bucket that I'd like to access using a browser similar to http://data.openspending.org/
and I'd like only a subfolder to be visible.
So if Bucket1 has multiple folders, I only wanna show and ...
3
votes
0
answers
1k
views
EKS - Use IAM roles for service accounts on multiple clusters
I am trying to use IAM roles for service accounts in EKS.
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
When it comes to create the IAM role to be assigned to a ...
3
votes
1
answer
9k
views
AWS IAM Roles: What is a trusted entity exactly?
I have a role attached to a LaunchConfiguration for an EC2 instance, that gives the EC2 instance privs to do certain things like do Cloudwatch logs (the context isn't important to the question). In ...
0
votes
0
answers
506
views
Can i access an EKS cluster , if i don't have access to iam user that created it?
An AWS admin , created an IAM user , and that user created an EKS cluster. Now , we don't have access to that IAM user.
If , we try to execute , kubectl , commands on that EKS cluster from a new IAM ...
1
vote
1
answer
1k
views
AWS S3 Policy: One non-public bucket, separate sub-folders for each user, restricted access
at the moment I'm struggling how to create a secure policy for my Amazon S3 bucket.
My plan is to have one bucket with several sub-folders for separate (IAM) users.
Access should only be ...
2
votes
0
answers
304
views
Facilitating arbitrary code execution on AWS Lambda
I am developing a SaaS where a user will be able to upload a custom JavaScript function that runs when an event happens. In order to preserve the integrity of the system, I am using AWS Lambda to run ...
2
votes
2
answers
1k
views
Permissions for choosing tags in Cloudwatch
When trying to create a Cloudwatch dashboard I get "You don't have permission to access tags and properties. Retry".
What permissions does my IAM account have to have in order to be able to ...
0
votes
1
answer
503
views
AWS-IAM - How to give a combining specific access to specific region with some resource tags
Hello I am trying to combine some rights access for a user using IAM policies:
Full access to one region ONLY (i.e: ap-east-1)
ReadOnlyAccess to another region (i.e: us-east-1)
Write access only to (...
1
vote
0
answers
76
views
Autoscaling - lifecylehook implementation
I'm trying to implement my first ASG with a lifecycle hook and I am having this issue:
LifecycleHandlerFunction: Encountered unsupported property Role
The following resource(s) failed to create:
[...
7
votes
3
answers
6k
views
Impossible to delete AWS backup vault, backup plans?
I swear, I've read all the docs I can find, and have tried everything including the AWS policy generator UI and manually editing policy JSON, but no matter what I try, when I try to delete any of ...
2
votes
1
answer
2k
views
How do I enforce a policy to block access to specific regions without updating all of my policies?
I want to block all user access to almost all aws regions. You cant "disable" a region that is enabled by default. Also I am aware of permissions that are account level and cant be ...
2
votes
1
answer
2k
views
AWS: How do I restrict deployment to ECS clusters using IAM
I have multiple Fargate clusters in a single AWS account. I wish to ensure that a given service account (used by the build pipeline) can only update Services within a given Fargate clusters.
The IAM ...
0
votes
1
answer
187
views
AWS Resource deletion should require 2 user's approval
We have a business requirement wherein the deletion of resources in AWS account should require approval of 2 users - may be an admin and the manager.
There doesn't seem to be a straightforward, out-of-...
0
votes
1
answer
1k
views
AWS ec2 instance IAM user but root user not seeing
I have a client and he has given me IAM access to my email to his AWS account.
and I have logged in successfully and then lunch an EC2 instance to his account as IAM user.
But the client not seeing ...
0
votes
1
answer
1k
views
AWS IAM policy to allow user to edit one specific Security Group only
I'm trying to allow a user to modify inbound rules on one particular security group.
Here's what I tried. I thought it would be straight forward, but this doesn't work. What other permissions do I ...