Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Limitations on unauthenticated Cognito identities?

0

I'm trying to use an unauthenticated Cognito identity to call ec2.describeInstanceStatus using the JavaScript for web SDK. When I try to call that or the similar ec2.describeInstances, I get an UnauthorizedOperation error and a HTTP 403 forbidden.

I checked the IAM role permissions against the IAM Policy Simulator and the role should have the proper permissions to perform those actions.... I even gave it "AmazonEC2FullAccess (IAM Policy)" and nothing else on a new IAM Role since I was at a loss. I still got UnauthorizedOperation.

... This leads me to my question. Do unauthenticated Cognito identities have limitations on services/calls? I am able to invoke Lambda functions using the same IAM role and using the same basic JavaScript/HTML so I know the unauthenticated identity works for at least some actions.

Thanks for the help!

Argomenti
Sicurezza, identità e conformità
Tag
Gestione identità e accesso AWS
Lingua
English
aj177
posta 3 anni fa588 visualizzazioni
1 Risposta
0

Answer found: From https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies

For additional security protection, Amazon Cognito applies a scope-down policy to credentials vended by GetCredentialForIdentity to prevent access to services other than the ones listed below for your unauthenticated users. In other words, this policy allows an identity using these credentials with access to only some services (list in link).

EC2 is not in that list.

aj177
con risposta 3 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente