Questions tagged with IAM Policies

Hello, I'm currently running into some trouble setting up an IoT Core MQTT broker. I am able to connect to my broker using my terminal and mosquitto, but when I try to publish a message to any topic, the mosquitto client disconnects and reconnects without being able to publish. I have validated this connect/disconnect behaviour through the `$aws/events/presence/# topic` and the mosquitto client in debug mode for which I can provide a sample output : ``` Client william_terminal sending CONNECT Client william_terminal received CONNACK (0) HELLO Client william_terminal sending PUBLISH (d0, q0, r0, m1, 'test', ... (5 bytes)) Client william_terminal sending CONNECT Client william_terminal received CONNACK (0) ``` Using the AWSIotLogs set at debug level, I was able to find out that this behaviour is caused by an authorization problem happening at publish time. Here are consecutively sampled logs for the stream : ``` { "timestamp": "2022-09-29 15:16:55.406", "logLevel": "INFO", "traceId": "5697ba84-38f7-eefc-08e9-b6dd00096727", "accountId": "673559919736", "status": "Success", "eventType": "Connect", "protocol": "MQTT", "clientId": "$GEN/af403525-5e3b-4f81-9888-a31f16e300f0", "principalId": "49964471e92f354742f5394e648c97d9ac3aa940081cccf0962918bf97fcdf09", "sourceIp": "10.240.100.18", "sourcePort": 46898 } { "timestamp": "2022-09-29 15:16:59.554", "logLevel": "ERROR", "traceId": "067b15e5-9bcb-5c6d-2061-9bbefbccb3d0", "accountId": "673559919736", "status": "Failure", "eventType": "Publish-In", "protocol": "MQTT", "topicName": "sim/2", "clientId": "$GEN/af403525-5e3b-4f81-9888-a31f16e300f0", "principalId": "49964471e92f354742f5394e648c97d9ac3aa940081cccf0962918bf97fcdf09", "sourceIp": "10.240.100.18", "sourcePort": 46898, "reason": "AUTHORIZATION_FAILURE", "details": "Authorization Failure" } ``` The certificates I use to authenticate to my account have the following policy attached : ``` { "Statement": [ { "Action": [ "iot:Connect" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": [ "true" ] } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "iot:Publish" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iot:Subscribe" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iot:Receive" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } ``` The only restrictive part of this permissions being set on the connection action, I don't understand how it is possible to have a publication authorization failure. I will deeply appreciate any help on this topic. Cheers, William Didierlg...

How can I prevent a specific IAM user to delete or change tags assigned to an EC2 instance? I am OK with the user to be able to add new tags. Thanks!lg...

I am trying to run a cross-account Athena query : 1. I can list thedefault catalog ARN ""glue:arn:aws:glue:us-east-1:999999999999:catalog" fine (https://docs.aws.amazon.com/athena/latest/ug/security-iam-cross-account-glue-catalog-access.html) 2. I am unclear how to reference other connector catalogs 3. Standard presto "show catalogs" doesn't work How do I reference and query a catalog cross account. Note the second catalog is a connector (hive) from the athena.lg...

In the AWS Managment account `1111111` I have enabled `CloudTrail`. All `CloudTrail` logs are sent to the `S3` bucket `XXXX` in the Audit Account `2222222`. This part of the configuration works fine. I am now trying to enable the `CloudTrail` logs to be sent `CloudWatch` in account `2222222`. Because `CloudTrail` is configure at the Org level in account `1111111` but the `logs` are in an S3 bucket in account `222222` when i try to enable `CloudWatch` I get an error message saying `There is a problem with the role policy` Has anyone configure something like this before and if they have any idea and what the Role should look like ?lg...

I have a Lambda function that pulls data from an S3 bucket, transforms it and puts it into another bucket. I gave it S3FullAccess, which should include all operations. Loading data is no problem, however when I try to store the transformed data in a new bucket (or even a different folder within the same bucket), the following error message occurs: "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied" The following lines both throw the error: awswrangler.s3.to_csv(joined_df, 's3://buckets/other-bucket/data.csv', index=False) awswrangler.s3.to_csv(joined_df, 's3://buckets/my-bucket/other-subfolder/data.csv', index=False) This is, again, despite the Lambda having AmazonS3FullAccess. Does anyone know what is wrong here?lg...

I have a Greengrass device setup that I'm trying to get SSH tunneling working on but needs a service role associated with my account if I'm understanding that correctly. In AWS IoT > Settings > Greengrass service role, there is no role attached. Clicking attach gives just an empty dropdown box. I've tried creating a role named "Greengrass_ServiceRole" and attaching the AWS managed "AWSGreengrassResourceAccessRolePolicy", but it still doesn't show up in that dropdown box for Greengrass service role. Based on the docs, this role would be created for me if I used Greengrass V1, but I'm starting from scratch here, do I need to setup my device using V1 just to get things like this setup? https://docs.aws.amazon.com/greengrass/v2/developerguide/greengrass-service-role.htmllg...

Hi, Actually we try to generate a policy based on CloudTrail events, but we have Control Tower and a centralized bucket for all cloudtrails to all our accounts. We follow this blog: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-cross-account but still give the error: "Incorrect permissions assigned to access CloudTrail S3 bucket. Please fix before trying again." We already update the bucket policy, bucket ownership and we dont use KMS on it. Any advise or glue about what we miss ? Thanks in advance,lg...

I'm trying to test endpoint connection from DMS Replication Instance, DMS (3.4.7) RI instance (running in Acnt A) is attempting to get a secret from SecretsManager (running in Acnt B) using VPC Interface endpoint, but errors out with the following. Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<erandomStrng>' The secrets_manager get secret value failed: User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/aaaaa-<randomStrng> because no session policy allows the secretsmanager:GetSecretValue action Not retriable error: <AccessDeniedException> User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<randomStrng>' because no session policy allows the secrets DMSRole { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:acntAaaaa:secret:/dmsdemo/aaaaa-<randomStrng>", "Effect": "Allow" }, { "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:acnt:key/ddddddddddd", "Effect": "Allow" } ] } Resource Policy on Secret { "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::acntAaaaaa:root", "arn:aws:iam::acntBbbbbbb:root" ] }, "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : "*" } ] } Any thoughts on what was missing in permissions that is restricting the access to secretlg...

when i try to add this permission to allow cyberduck to list the files from a bucket. cyberduck list all the buckets in my account, but only have access to the bucket i entered the key for. what i would like it to do is only list the bucket that i entered the key to and only have access to that bucket . this is the JSON script ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1480515305000", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "Stmt1480515305002", "Effect": "Allow", "Action": [ "s3:List*", "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::allowed-bucket", "arn:aws:s3:::allowed-bucket/*" ] } ] } ``` thank youlg...

I destroyed some IAM roles since they did not display a "last active" attribute. Now I cannot access my data properly. When I try to reset my auth settings, I cannot: ``` NoSuchEntity - An error occurred while processing your request: The role with name us-east-1_g9F10WnFw_Manage-only cannot be found. ``` I'm struggling to figure out what Roles to recreate what access to give them to access my amplify environment Not sure if this helps but here is my aws-export.js: ``` /* eslint-disable */ // WARNING: DO NOT EDIT. This file is automatically generated by AWS Amplify. It will be overwritten. const awsmobile = { "aws_project_region": "us-east-1", "aws_appsync_graphqlEndpoint": "https://iai3fj7vd5hgjc22z4m7kj5tn4.appsync-api.us-east-1.amazonaws.com/graphql", "aws_appsync_region": "us-east-1", "aws_appsync_authenticationType": "API_KEY", "aws_appsync_apiKey": "da2-****", "aws_cognito_identity_pool_id": "us-east-1:0afc5fb7-9bb5-45a0-ad98-50a9a38491c0", "aws_cognito_region": "us-east-1", "aws_user_pools_id": "us-east-1_eW3yGAOvZ", "aws_user_pools_web_client_id": "7al4qgvvsu8qkicdsqtl9n4stv", "oauth": {}, "aws_cognito_username_attributes": [ "EMAIL" ], "aws_cognito_social_providers": [], "aws_cognito_signup_attributes": [], "aws_cognito_mfa_configuration": "OFF", "aws_cognito_mfa_types": [ "SMS" ], "aws_cognito_password_protection_settings": { "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [ "REQUIRES_LOWERCASE", "REQUIRES_NUMBERS", "REQUIRES_SYMBOLS", "REQUIRES_UPPERCASE" ] }, "aws_cognito_verification_mechanisms": [ "EMAIL" ], "aws_user_files_s3_bucket": "gr-movement-storage-e48b8b36191308-staging", "aws_user_files_s3_bucket_region": "us-east-1" }; export default awsmobile; ```lg...

I locked myself out of one of my buckets by denying access to all users in the bucket policies. This bucket is in a child account of my root user. To fix this, [the doc says the root user is the only user authorized to delete a policy when every user is locked out](https://aws.amazon.com/premiumsupport/knowledge-center/s3-accidentally-denied-access/) so I tried this script: ``` #!/bin/bash export AWS_ACCESS_KEY_ID=<root_user_key> export AWS_SECRET_ACCESS_KEY=<root_user_key> aws sts get-caller-identity aws s3api delete-bucket-policy --bucket "my-bucket" ``` And got this: ``` { "UserId": "101535111111", "Account": "101535111111", "Arn": "arn:aws:iam::101535111111:root" } An error occurred (AccessDenied) when calling the DeleteBucketPolicy operation: Access Denied ``` I also tried to access the bucket from the console **from the root account**, I'm also getting:  I'm out of ideas...lg...

I am creating a cloud formation script that creates a ec2 instance as a bastion host, a RDS option group to allow for S3 backup and restoring, and a RDS db instance. In that script, I want to make an option group then immediately use it on the RDS instance. However, I get this error ` "Specified OptionGroupName: rdsoptiongrouprestore not found.` The formation template looks likes this: ``` "RdsDbCcw": { "Type": "AWS::RDS::DBInstance", "Properties": { "DBInstanceClass": { "Ref": "DBInstanceClass" }, "Engine": { "Ref": "DBEngine" }, "MasterUserPassword": { "Ref": "DBAdminPassword" }, "MasterUsername": "admin", "MultiAZ": false, "PubliclyAccessible": false, "StorageType": "gp2", "DBSubnetGroupName": { "Ref": "SubnetGroupID" }, "AllocatedStorage": 20, "OptionGroupName": "RDSoptiongroupRestore" }, "Metadata": { "AWS::CloudFormation::Designer": { "id": "e52423ae-26df-4293-b4d3-073271c85ec0" } }, "DependsOn": [ "ec2Bastion", "appServer", "RDSoptiongroupRestore" ] }, "RDSoptiongroupRestore": { "Type": "AWS::RDS::OptionGroup", "Properties": { "EngineName": { "Ref": "DBEngine" }, "MajorEngineVersion": "15.00", "OptionConfigurations": [ { "OptionName": "SQLSERVER_BACKUP_RESTORE", "OptionSettings": [ { "Name": "IAM_ROLE_ARN", "Value": "arn....." } ] } ], "OptionGroupDescription": "For Restoring bakups from s3 bucket" }, "Metadata": { "AWS::CloudFormation::Designer": { "id": "ce0de1d7-6e19-43c0-9df9-230562178612" } } } } ``` Do I need to create a delay or way to say to cloud formation that I just made this option group, so that that?lg...