Questions tagged with IAM Policies

We would like to control which services are available for use in which accounts and regions while still being able to review everything: - Allow ReadOnly across all services in all regions - Allow Write on specified services in certain regions We are aware of the general policy to [restrict actions not in specific regions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region) but this is too restrictive and results in unnecessary confusion when users experience permission errors on various service dashboards. Thus far we have been unable to construct an SCP, or combination of SCPs, that provide the intended effect given [the attachment and size limits.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html#min-max-values) Is what we are looking for even possible with Service Control Policies alone? We would like to avoid: - Managing this via User/Role Permissions - Having "Bypass" Roles as shown in the documented example above.

AWS secrets-manager does not decode my key/values when retrieving... what am I missing? Hi when I retrieve my SecretString from Secrets-manager i get: `'{"username": "***","password": "***" ,"engine":"mysql","host":"***","port":"***","dbname":"***""dbInstanceIdentifier":"database-1"}',` Instead of `{"username":"my_real_username","password":"my_real_password","engine":"mysql","host":"my_real_host","port":"my_real_port","dbname":"my_real_dbname","dbInstanceIdentifier":"database-1"}` I have tried using both my buildspec.yml file doing: ``` env: secrets-manager: DB_TEST_HOST: "test:host" DB_TEST_NAME: "test:dbname" DB_TEST_PORT: "test:port" DB_TEST_USER: "test:username" DB_TEST_USER_PASSWORD: "test:password" ``` And implemented the code suggested in secrets-manager. Both give the the bad result. I have also attached "SecretsManagerReadWrite" policy and kms:Decrypt policy to the role used when trying to retrieve these parameters.

Suppose I have a Cognito Identity Pool. I want to grab info about the user itself rather than their Cognito Identity ID. Is there any way to read off the principal tags from the assumed Cognito Identity or the underlying IAM Role? Alternatively I could parse the "sub" attribute from the oidc provider (via the cognito identity's amr block) and work backwards with the identity provider to get more info... but this is resource intensive and I see no reason why I can't access the principal tags passed into the cognito identity...

I have a Lambda function that is supposed to pass its own permissions to the code running in an ECS task. It looks like this: ``` ecs_parameters = { "cluster": ..., "launchType": "FARGATE", "networkConfiguration": ..., "overrides": { "taskRoleArn": boto3.client("sts").get_caller_identity().get("Arn"), ... }, "platformVersion": "LATEST", "taskDefinition": f"my-task-definition-{STAGE}", } response = ecs.run_task(**ecs_parameters) ``` When I run this in Lambda, i get this error: ``` "errorMessage": "An error occurred (ClientException) when calling the RunTask operation: ECS was unable to assume the role 'arn:aws:sts::787364832896:assumed-role/my-lambda-role...' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role." ``` If I change the task definition in ECS to use `my-lambda-role` as the task role, it works. It's specifically when I try to override the task role from Lambda that it breaks. The Lambda role has the `AWSLambdaBasicExecutionRole` policy and also an inline policy that grants it `ecs:runTask` and `iam:PassRole`. It has a trust relationship that looks like: ``` "Effect": "Allow", "Principal": { "Service": [ "ecs.amazonaws.com", "lambda.amazonaws.com", "ecs-tasks.amazonaws.com" ] }, "Action": "sts:AssumeRole" ``` The task definition has a policy that grants it `sts:AssumeRole` and `iam:PassRole`, and a trust relationship that looks like: ``` "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", "AWS": "arn:aws:iam::account-ID:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS" }, "Action": "sts:AssumeRole" ``` How do I allow the Lambda function to pass the role to ECS, and ECS to assume the role it's been given? P.S. - I know a lot of these permissions are overkill, so let me know if there are any I can get rid of :) Thanks!

I have a Lightsail instance with a very small Python script for testing. The script looks like: ``` import boto3 import json region_name = "us-east-1" secret_name = "arn:aws:secretsmanager:us-east-1:XXXXXX:XXXX" client = boto3.client(service_name='secretsmanager',region_name=region_name) response = client.get_secret_value(SecretId=secret_name) secrets1 = json.loads(response['SecretString']) print(secrets1['Password']) ``` When I run the above code, I get the following error: ``` An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::XXXXXXXX:assumed-role/AmazonLightsailInstanceRole/XXXXXXX is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:XXXXXXXX:secret:XXXXXX because no resource-based policy allows the secretsmanager:GetSecretValue action ``` I have tried: * creating a Lightsail role in IAM with "SecretsManagerReadWrite" policy attached. One problem with this approach is that I didn't see a Lightsail option when selecting an AWS Service, so I selected ec2. * running the code as root user * creating another IAM user with proper permissions (full access to Lightsail and SecretsManagerReadWrite) * scouring several forums looking for answers. I find some cases that are similar to mine, but haven't found a solution I can use fully (although I have used bits and pieces with no luck). None of the above worked (although I can't guarantee I put all the pieces together correctly). So my question is: How can I access a secret in my Secrets Manager service and use it in my Python code in Lightsail? This is all done within a single AWS account. I am very new to the AWS framework and am admittedly confused by the IAM roles and users and how I provision permission for a Lightsail instance to access Secrets Manager. Thanks for any help.

Error: Could not load data. The current role cannot perform cloudwatch:GetMetricData. My iam policie: ` "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:GetMetricData", "cloudwatch:DescribeAlarms", "ec2:*" ],`

I am setting own mqtt broker using aws workshop: https://catalog.us-east-1.prod.workshops.aws/workshops/5ecc2416-f956-4273-b729-d0d30556013f/en-US/chapter6-mqtt-broker/10-step1 In startup.sh script execution step getting errors: 1. not authorized to perform: iot:CreatePolicy 2. not authorized to perform: iot:CreateKeysAndCertificate User account having all below access permissions: IAMFullAccess AmazonS3FullAccess AWSIoTFullAccess AWSGreengrassFullAccess GreengrassV2TokenExchangeRoleAcess AdministratorAccess I am trying to resolve this couple of days, but not yet succeeded . It very urgent need resolve for current project

The following trust policy is the default trust policy for an EC2 instance role. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "Service": [ "ec2.amazonaws.com" ] } } ] } ``` Is it possible to limit this trust policy to allow the role to only be attached to a specific instance? I know that it would be possible to only grant the IAM permissions to a user to pass this role to a specific instance but I would also like to limit the scope of this role to a specific instance at the same time.

### Quick Summary: If objects are put into a bucket owned by "Account A" from a different account ("Account B"), you cannot access files via S3 static website (http) from "Account A" (bucket owner). This is true regardless of the bucket policy granting GetObject on all objects, and regardless of if bucket-owner-full-control ACL is enabled on the object. - If trying to download a file from Account A via S3 API (console/cli), it works fine. - If trying to download a file from Account A via S3 static website (http), S3 responds HTTP 403 Forbidden if the file was uploaded by Account B. Files uploaded by Account A download fine. - Disabling Object ACL's fixes the problem but is not feasible (explained below) ### OVERVIEW I have a unique setup where I need to publish files to an S3 bucket from an account that does not own the bucket. The upload actions work fine. My problem is that I cannot access files from the bucket-owner account over the S3 static website *if the files were published from another account* (403 Forbidden response). **The problem only exists if the files were pushed to S3 FROM a different account.** Because the issue is only for those files, the problem seems like it would be in the Object Ownership ACL configuration. I've confirmed I can access other files (that weren't uploaded by the other acct) in the bucket through the S3 static website endpoint, so I know my bucket policy and VPC endpoint config is correct. If I completely disable Object ACL's completely **it works fine**, however I cannot do that because of two issues: - Ansible does not support publishing files to buckets with ACL's disabled. (Disabling ACL is a relatively new S3 feature and Ansible doesn't support it) - The primary utility I'm using to publish files (Aptly) also doesn't support publishing to buckets with ACL's disabled. (Disabling ACL is a relatively new S3 feature and Aptly doesn't support it) Because of these above constraints, I must use Object ACL's enabled on the bucket. I've tried both settings "Object Writer" and "Bucket owner preferred", neither are working. All files are uploaded with the `bucket-owner-full-control` object ACL. SCREENSHOT: https://i.stack.imgur.com/G1FxK.png As mentioned, disabling ACL fixes everything, but since my client tools (Ansible and Aptly) cannot upload to S3 without an ACL set, ACL's must remain enabled. SCREENSHOT: https://i.stack.imgur.com/NcKOd.png ### ENVIRONMENT EXPLAINED: - Bucket `test-bucket-a` is in "Account A", it's not a "private" bucket but it does not allow public access. Access is granted via policies (snippet below). - Bucket objects (files) are pushed to `test-bucket-a` from an "Account B" role. - Access from "Account B" to put files into the bucket is granted via policies (not shown here). Files upload without issue. - Objects are given the `bucket-owner-full-control` ACL when uploading. - I have verified that the ACL's look correct and both "Account A" and "Account B" have object access. (screenshot at bottom of question) - I am trying to access the files from the bucket-owner account (Account A) over the S3 static website access (over http). I can access files that were not uploaded by "Account B" but files uploaded by "Account B" return 403 Forbidden I am using VPC Endpoint to access (files cannot be public facing), and this is added to the bucket policy. All the needed routes and endpoint config are in-place. I know my policy config is good because everything works perfectly for files uploaded within the same account or if I disable object ACL. ``` { "Sid": "AllowGetThroughVPCEndpoint", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::test-bucket-a/*", "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-0bfb94<scrubbed>" } } }, ``` **Here is an example of how this file is uploaded using Ansible:** Reminder: the role doing the uploading is NOT part of the bucket owner account. ``` - name: "publish gpg pubkey to s3 from Account B" aws_s3: bucket: "test-bucket-a" object: "/files/pubkey.gpg" src: "/home/file/pubkey.gpg" mode: "put" permission: "bucket-owner-full-control" ``` **Some key troubleshooting notes:** - From "Account A" when logged into the console, **I can download the file.** This is very strange and shows that API requests to GetObject are working. Does the S3 website config follow some different rule structure?? - From "Account A" when accessing the file from an HTTP endpoint (S3 website) it returns **HTTP 403 Forbidden** - I have tried deleting and re-uploading the file multiple times. - I have tried manually setting object ACL via the aws cli (ex: `aws s3api put-object-acl --acl bucket-owner-full-control ...`) - When viewing the "object" ACL, I have confirmed that both "Account A" and "Account B" have access. See below screenshot. Note that it confirms the object owner is an external account. SCREENSHOT: https://i.stack.imgur.com/TCYvv.png

Is it possible to have different login URLs for different IAM users or for different stacks of the same root account? e.g. user IAM 1 -> linkA userIAM2 -> linkB or Stack1 -> linkA Stack2 ->linkB what I need is: to deploy an application with different settings for different end-users, if possible with different login links. Then give the user a chance to see their stack and fleet belong. Do you have any suggestions on how to do that? Thanks in advance.

According to the following documentation for creating a target endpoint using AWS DMS https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.Neptune.html The setup looks like as follows: 1. A Neptune DB cluster(without Notebook) 2. A DMS replication instance 3. A source endpoint (S3) 4. A role that has full access to S3, Neptune and RDS 5. A target endpoint (AWS Neptune) <-- This is the point of failure After configuring the target endpoint when I click on "Run test" I see following error: `arn:aws:iam::12xxxxxx2:role/xxxx-dms-role role should be associated with xxx-cluster-xxx-neptune cluster.` Is there something missing? The role is configured with policies that provide full access to all resources(especially Neptune and S3) ```JSON { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "neptune-db:*", "Resource": "*" }, { "Effect": "Allow", "Action": "rds:*", "Resource": "*" } ] } ```

I am trying to create Domain in open search, I used the Below IAM permission but everytime it is giving me this error-: Before you can proceed, you must enable a service-linked role to give Amazon OpenSearch Service permissions to create and manage resources on your behalf I have also attached the Service Linked Role but still I am facing the Issue I am using this IAM policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpDelete", "es:ESHttpGet", "es:ESHttpHead", "es:ESHttpPost", "es:ESHttpPut", "es:ESHttpPatch", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddListenerCertificates", "elasticloadbalancing:RemoveListenerCertificates" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "es:AddTags", "es:AssociatePackage", "es:CreateDomain", "es:CreateOutboundConnection", "es:DeleteDomain", "es:DescribeDomain", "es:DescribeDomainAutoTunes", "es:DescribeDomainConfig", "es:DescribeDomains", "es:DissociatePackage", "es:ESCrossClusterGet", "es:GetCompatibleVersions", "es:GetUpgradeHistory", "es:GetUpgradeStatus", "es:ListPackagesForDomain", "es:ListTags", "es:RemoveTags", "es:StartServiceSoftwareUpdate", "es:UpdateDomainConfig", "es:UpdateNotificationStatus", "es:UpgradeDomain" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "es:AcceptInboundConnection", "es:CancelServiceSoftwareUpdate", "es:CreatePackage", "es:CreateServiceRole", "es:DeletePackage", "es:DescribeInboundConnections", "es:DescribeInstanceTypeLimits", "es:DescribeOutboundConnections", "es:DescribePackages", "es:DescribeReservedInstanceOfferings", "es:DescribeReservedInstances", "es:GetPackageVersionHistory", "es:ListDomainNames", "es:ListDomainsForPackage", "es:ListInstanceTypeDetails", "es:ListInstanceTypes", "es:ListNotifications", "es:ListVersions", "es:PurchaseReservedInstanceOffering", "es:RejectInboundConnection", "es:UpdatePackage" ], "Resource": "*" }, { "Sid": "AllowCreationOfServiceLinkedRoleForOpenSearch", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService*", "arn:aws:iam::*:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService*" ], "Condition": { "StringLike":{ "iam:AWSServiceName": [ "opensearchservice.amazonaws.com", "es.amazonaws.com" ] } } } ] }

I am creating a data pipeline using Template-ShellCommandActivity, but I am facing an issue while attaching the resource role. I am not able to get the resource role I created in the dropdown. And when I go ahead as it is Pipeline activation fails with this error: "Object:EC2ResourceObj ERROR: Unable to validate an instance profile with the role name'*****My Resource Role*****'.Please create an EC2 instance profile with the same name as your resource role"

Hi, Im trying to achieve the "role chaining" as in the https://aws.plainenglish.io/aws-iam-role-chaining-df41b1101068 i have an user `admin-user-01` with policy assigned: ``` { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<accountid>:role/admin_group_role" } } ``` I have a role, which is meant for `admin-user-01`, with `role_name = admin_group_role` and trust policy = ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:user/admin-user-01" }, "Action": "sts:AssumeRole" } ] } ``` And it also has a policy: ``` { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<accountid>:role/test-role" } } ``` Then, i have another role, which is assigned for the role above (`admin_group_role`), with `role_name = test-role` and trust policy = ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:role/admin_group_role" }, "Action": "sts:AssumeRole" } ] } ``` But when i login as `admin-user-01` into account, then switch to the role `admin_group_role` and then try to switch to role `test-role` i get : `Invalid information in one or more fields. Check your information or contact your administrator.` P.S everywhere <accountid> is the same, all of the roles,users,permissions are created in the same account ( what, i suppose might be the reason why i face the error ) What am i doing wrongly?

I got error: "ec2tagger: Unable to describe ec2 tags for initial retrieval: AuthFailure: AWS was not able to validate the provided access credentials" in cloudwatch log agent on an ec2 instance that has: 1. CloudWatchAgentServerRole -- this is default AWS managed role attached to the instance, this default role already allow ""ec2:DescribeTags"," in its policy. <---- NOTE this 2. Its NACL allowed all outbound and allowed all vpc's CIDR network range inbound 3. Cloudwatch log agent config file's region is correct 4. telnet ec2.us-east-2.amazonaws.com 443 or telnet monitoring.us-east-2.amazonaws.com 443 or telnet logs.us-east-2.amazonaws.com 443 under the ec2 instance all return successful connection (Connected <..> Escape character is '^]') I also create three vpc endpoints: logs (com.amazonaws.us-east-2.logs), monitoring (com.amazonaws.us-east-2.monitoring), ec2 (com.amazonaws.us-east-2.ec2) interface endpoints. They have SG that allowed all VPC's CIDR network range inbound. The idea is to expose metrics to cloudwatch via vpc endpoints. Despite all above setup, I can't make cloudwatch agent to work and it keeps echo above error complain about credentials is not valid even though the REGION in config file is correct and traffic between instance and cloudwatch is allowed.

Is it possible to give access only to a certain image, stack, or fleet with IAM policies? Do you have any examples? I tried with a policy but it returns this error: > User: arn:aws:iam::xxxxxxxxx:user/xxxxxxxx is not authorized to perform: appstream:DescribeFleets on resource: arn:aws:appstream:eu-central-1:xxxxxxxxxxx:fleet/* because no boundary policy allows the appstream:DescribeFleets action > My need is: in an AWS account, an IAM user must only see some image/fleet/stack. thanks

Can we access and use multiple roles from a single user simultaneously(using STS assumeRole api right now)? My use case requires creation of different roles which have their specific policies assigned, and I need a different way other than creating one user per role sort of like a multiple account access. Instead of creating 1 user per role, is there any way that a single user can access/assume resources of multiple roles/accounts simultaneously?

Hello, within SES sending mails is possible and working, but i would like to restrict the FROM address which is not working. Even with a limiting(aws@example.com) sending authorization policy I can send with **any** FROM address. Here is my Sending authorization policies: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "XXX", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXX:user/ses-smtp-userXXX" }, "Action": "ses:SendRawEmail", "Resource": "arn:XXX:identity/XXX", "Condition": { "StringLike": { "ses:FromAddress": "aws@example.com" } } } ] } ``` IAM policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ses:SendRawEmail", "Resource": "*" } ] } ``` Do i have to set the condition also for the IAM policy? What is the better/right way for which use-case: IAM or sending authorization policy

When adding Lambda to VPC, it is required to have `DeleteNetworkInterface` permission, ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ...... "ec2:DeleteNetworkInterface", ], "Resource": "*" } ] } ``` However, we feel it's a bit risky to use unconditioned `DeleteNetworkInterface`. What we currently do is to add a tag to the Lambda, e.g., `{"canDeleteENI": "true"}`, then add a condition to Lambda's execution role, ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteNetworkInterface", ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/canDeleteENI": "true" } } } ] } ``` Will this work? for example, allowing the Lambda delete it only when created by the same Lambda? If not, any suggestions to restrict DeleteNetworkInterface permission for Lambda? thanks!

In the EC2 instance details, i am finding this error "User is not authorized to perform: compute-optimizer:GetEnrollmentStatus on resource: * with an explicit deny in a service control policy" under Amazon Compute Optimizer section. Because of this while I am connecting to EC2, it is showing error as "verify that your iam policy is correctly configured to use ec2 instance connect."

I have a S3 bucket with some AVRO formatted files, I have successfully been through the steps to create a table based on the AVRO schema in Athena and can run SQL queries on the data that return a successful "Completed" response but no data is returned, In the query result bucket i have specified a csv file is created for each query that contains a Error xml block and a "Access Denied" message. I believe i have set up the bucket policy correctly, i am attempting to run this query on an user that is under the same account ID that the bucket was created in, so that seems like it should be straight forward. but it is not working for me and the lack of errors in Athena are confusing. I am stuck right now on what i have not set up correctly.

resource "aws_iam_service_linked_role" "AWSServiceRoleForLexV2" { aws_service_name = "lexv2.amazonaws.com" tags = local.common_tags } resource "aws_iam_role_policy" "lex2_policy" { name = "backend_bot_lex2_policy" role = aws_iam_service_linked_role.AWSServiceRoleForLexV2.id policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : "logs:CreateLogGroup", "Resource" : "arn:aws:logs:eu-west-2:${var.aws_accountId}:*" }, { "Effect" : "Allow", "Action" : [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource" : [ "arn:aws:logs:eu-west-2:${var.aws_accountId}:log-group:*" ] } ] }) } **Error** Error putting IAM role policy backend_bot_lex2_policy: ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_- │ status code: 400,

When trying to deploy stack using Cloudformation, I am getting error: ``` API s3:setBucketAccelerateConfiguration Access Denied ``` See screenshot: https://pasteboard.co/7gPE6va6ILxP.png I have `AdministratorAccess` policy added to my IAM user. As you can see I am creating the bucket, therefore I am an owner. Why is there a problem with permissions? I have deployed same stack in different account (also using `AdministratorAccess` in that account) and there was no problem.

Hello, I'm writing terraform manifest, i create roles,groups, users, and assigned users to those groups, now i want to assign roles to groups, i was not able to find anything about that by googling, except this https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/examples/iam-group-with-assumable-roles-policy, which apparently doesn't do what i need. Any suggestions? is it even possible?

I'm trying to create a guardrail IAM policy that prohibits admins from creating CloudWatch Log groups without applying AWS:KMS encryption. I haven't yet found any conditions to enforce that yet.

Hi, I'm trying to encrypt SNS topics in AWS Control Tower scenario using KMS. I created a KMS key in the management account which I'm using to encrypt SNS topics in member accounts (audit, log-archive and sandbox). I'm doing all the customisation using Terraform. I gave the required permissions to KMS key by using the following policy: ``` { "Sid": "Allow Log Archive, Audit and Development Account", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::xxxxxxxxx:root", "arn:aws:iam::xxxxxxxxx:root", "arn:aws:iam::xxxxxxxx:root" ] }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*" }, { "Sid": "Allow_CloudWatch_for_CMK", "Effect": "Allow", "Principal": { "Service":[ "cloudwatch.amazonaws.com" ] }, "Action": [ "kms:Decrypt","kms:GenerateDataKey" ], "Resource": "*" } ``` Getting the following error: ```Failed to execute action arn:aws:sns:xxxx:xxxxxxxx:aws-controltower-SecurityNotifications. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.``` The end goal is satisfy security best practices and encrypt the SNS topic.

I need to provide an assess to my S3 to partners companies which has their own AWS accounts I'd like to limit access to my S3 bucket by AWS network only. The reason is to prevent anyone from downloading resources directly to on premises servers. Because according to my understanding, when partner will be downloading data from my S3 to EC2 (for example) in their AWS account in the same region this data transfer would not be charged. The region could be limited by s3:LocationConstraint condition. So my question is **which policy condition should be used to limit by AWS network**?

``` session = requests.Session() session.auth = AWS4Auth( # An AWS 'ACCESS KEY' associated with an IAM user. AWS_ACCESS_KEY_ID, # The 'secret' that goes with the above access key. AWS_SECRET, # The region you want to access. AWS_REGION_NAME, # The service you want to access. 'appsync' ) # As found in AWS Appsync under Settings for your endpoint. APPSYNC_API_ENDPOINT_URL = APPSYNC_ENDPOINT # Use JSON format string for the query. It does not need reformatting. query = """query MyQuery { getCustomer(id: "38c76f4f-c495-42e6-8599-647738a12692") { first_name } }""" # Now we can simply post the request... response = session.request( url=APPSYNC_API_ENDPOINT_URL, method='POST', json={'query': query} ) print(response.text) ``` I want to be able to Read/Write data from AWS AppSync's dynamodb through python. I came across this solution online. But when I run it gives me the following error: ``` { "errors" : [ { "errorType" : "UnauthorizedException", "message" : "You are not authorized to make this call." } ] } ``` I have given Administrator Access to the IAM User. What am I doing wrong here?

I'm trying to deploy the hello world quickstart AWS Lambda function created by AWS SAM ClI template with least priviliege access. For this I have created an IAM Policy, and assigned this policy to a user whose access_key_id and aws_secret_access_key is being used by SAM CLI. Also, I have created an private S3 bucket. When I'm trying to use 'sam deploy --guided --s3-bucket 'name-of-already-created-bucket' command, I'm getting an error which says: ` Error: Failed to create managed resources: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once Can anyone please help me to understand, what can be the cause of this error, and how can it be resolved. IAM Permissions granted to SAM CLI: 1. CloudFormation: DescribeStacks, DescribeChangeSet, GetTemplate, CreateChangeSet, DeleteStack, ExecuteChangeSet 2. Lambda: CreateFunction 3. S3: PutObject

I have created an ECS Fargate Task, which I can manually run. It updates a Dynomodb and I get logs. Now I want this to run on a schedule. I have setup a scheduled ECS task through EventBridge and through the UI in the ECS cluster. However, this does not run. My looking at the EventBridge logs I can see that the container has been stopped for the following stopped reason: ``` ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post https://api.ecr.... ``` I thought this might be a problem with permissions. However, I tested giving the Task Execution Role full power user permissions and I still get the same error. Could the problem be something else?

I'm attempting to startup an EKS pod following the getting started guide. When on the step add a Fargate Profile I'm getting the following error. > "Misconfigured PodExecutionRole Trust Policy; Please add the eks-fargate-pods.amazonaws.com Service Principal" However it's already added to my trust policy. So not sure what to do `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks-fargate-pods.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:<region>:111122223333:fargateprofile/<pod name>/*" } } } ] }` I'm currently following this step. https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html

Dear Team, I have a bucket named my-bucket and it has a users folder. There are 5 individual user-name folder inside users folder. I want to make sure each user gets to see his/her own folder but can not see other user folders(I can restrict access to the content of the folder but want that one user should not see other users folder as well). Is it possible ? Ex. Below is the folder structure i have : my-bucket users UserA UserB UserC UserD UserE when UserE logs in, he/she should not see UserD folder in S3. I am able to restrict the content view of UserD folder but UserE still sees userD folder and then on click of UserD folder, he gets access denied error. Please let me know if i can restrict UserE from seeing any other users folders if he clicks on users folder Thanks, Dhaval Mehta

I'm trying to associate a role with an Aurora DB instance, and I'm getting the error `IAM role ARN value is invalid or does not include the required permissions for: AWS_ROLE_INTEGRATION` I can't find an reference to AWS_ROLE_INTEGRATION in the documentation, and the single Google result referring to this "AWS_ROLE_INTEGRATION" leads to a user asking the same question but never getting a response.

Hi, Im trying to create "revoke" session policy for iam user using command `aws iam create-policy --policy-name "revoke-session" --policy-document JSON.json` And the content of the `JSON.json` is ``` { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": {"DateLessThan": {"aws:TokenIssueTime": "2022-03-23T15:30:00Z"}} } } ``` But if i run the command it says `An error occurred (MalformedPolicyDocument) when calling the CreatePolicy operation: Syntax errors in policy.` **If i create exact same policy trough AWS console everything works!** So, im confused, what can be wrong?

I'm using flutter/dart (mqtt_client / https://pub.dev/packages/mqtt_client) to send an AWS IOT MQTT messages over websockets and I'd like to restrict an IAM user to only specific topics that a user is allowed to Publish messages only to their specific topic. I've attempted to add some restricted policies, but the application will fail with little information on the client side. Also, in Cloud Watch, I don't see any specific errors. Here's some example topics: `arn:aws:iot:us-east-2:1234567890:topic/action_request/ASDF1234` `arn:aws:iot:us-east-2:1234567890:topic/action_request/ASDF5678` So, I want to add the proper JSON policy attached to the IAM user and they only have access to ASDF1234 All of my publish topics are patterned like the above. For now, I'm focusing on restricting the Publish endpoints and then working others like Subscribe. I've tried numerous different policies like below. Also with adding some wildcards to no success on the client side. They look right, but I'm not sure if there's indirectly other publish topics that are used internally within MQTT that's causing the failures or maybe just my syntax. Another thought is if I add a condition that would allow only the above endpoint and no others. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iot:Receive", "iot:ListNamedShadowsForThing", "iot:Subscribe", "iot:Connect", "iot:GetThingShadow", "iot:DeleteThingShadow", "iot:UpdateThingShadow" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "iot:Publish", "Resource": "arn:aws:iot:us-east-2:1234567890:topic/*/ASDF1234*" } ] } ```

We are running an S3 Bucket with a Cloudfront In front of it. Recently we've turned enabled block public access (All four options enabled under `Individual Block Public Access settings for this bucket`, but now our Fargate ECS instance is getting `Access Denied` doing a `s3client.putobject`. Images are able to be pulled through the Cloudfront URLs, s3 object are blocked, but we are unable to upload any new images from our ECS instances. How do we allow the ECS task instances to `putObject` A (wide) bucket policy was added: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<aws-account>:role/<ecs-task-role>", "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <OAI>" ] }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::<bucket-name>/*", "arn:aws:s3:::<bucket-name>" ] } ] } ``` The ecs-task-role has `AmazonS3FullAccess`. We can manually upload to console. Removing the following two options from block public access does again allow us to put, but then the s3 object urls are public which we want to be non-accessible. - Block public access to buckets and objects granted through new access control lists (ACLs) - Block public access to buckets and objects granted through any access control lists (ACLs)

Hi, I followed this official guide from aws in order to implement a tagging strategy for resources in my AWS Organization https://aws.amazon.com/de/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/ The example is for EC2 instances, I followed all steps and this worked, however when I wanted to replicate the steps for S3, RDS and DynamoDB it did not work. The following is the SCP I want to use in order to enforce the tag *test* to be on every created dynamodb table. This is exactly how it is done in the Guide for EC2. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "dynamodb:CreateTable" ], "Resource": [ "arn:aws:dynamodb:*:*:table/*" ], "Condition": { "Null": { "aws:RequestTag/test": "true" } } } ] } ``` However when I try to create a DynamoDB Table with the tag *test* I get the following error message. I am passing the tag test, however I still get a deny. ``` User: arn:aws:sts::<account>:assumed-role/<role>/<email> is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:eu-central-1:<table>:<table> with an explicit deny. ``` I tried creating this SCP for the Services RDS, S3 and DynamoDB, only EC2 seems to work. Do you have an idea what the error could be or is anyone using this tagging strategy in their AWS Organization/AWS Control Tower. Would be interested to hear what your experience is as this seems really complicated to me to implement and does not work so far. Looking forward to hear form you people :)

Getting "Invalid Input Actions" while making SimulateCustomPolicy with 2 KMS actions, works fine if pass 1 action at a time with same resource ARN and same PolicyInputList. Below are some variations I tried in action-names and resource-arn, it is weird that multiple action call is failing only for KMS. I have tired cloudwatch, sqs calls with multiple actions and resource arn and working fine. Failing: aws iam simulate-custom-policy \ --policy-input-list '{"Version":"2012-10-17","Statement": [.....]}' \ --action-names kms:Decrypt kms:List* \ --resource-arns arn:aws:kms:*:*:key/abc arn:aws:kms:*:*:key/xyz Passed: aws iam simulate-custom-policy \ --policy-input-list '{"Version":"2012-10-17","Statement": [.....]}' \ --action-names kms:List* \ --resource-arns arn:aws:kms:*:*:key/xyz arn:aws:kms:*:*:key/abc Passed: aws iam simulate-custom-policy \ --policy-input-list '{"Version":"2012-10-17","Statement": [.....]}' \ --action-names kms:Decrypt \ --resource-arns arn:aws:kms:*:*:key/xyz arn:aws:kms:*:*:key/abc

Hello all, I'm new here, sorry if this is not the right place. I'll start from the beginning I'm a cloud engineer I just started, it's my first tech job. I have been tasked to somehow make the domain name private access, I mean the URL https://<Your domain name>.auth.us-west-2.amazoncognito.com I'm not sure how can I resolve this problem. Are there any IAM roles I can use? Please Help me as I have been everywhere and I didn't find anything. Many thanks in advance !!

I am trying to set up the proper policy json for IAM programmatic access, but the following runs into the below error ... I have tried it also without sid and with Resource as an array. ```{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Sid": "AllowAllPollyActions", "Action": [ "polly:*" ], "Resource": "*" }} ``` `is not authorized to perform: polly:SynthesizeSpeech with an explicit deny in an identity-based policy`

Hello, So I registered my Deeplens v1 camera 6 times already and I still get the same result when in the aws console: registration status failed I have no idea why this is happening since I am following the exact steps in the official documentation or any other registration tutorial video. No answers about such issues were provided here, this is why I am posting this question. What might be the reasons behind the registration failing? I did upload the certificates, provided the roles needed, connected the camera to the internet... The documentation only request me to repeat the registration again, but I've been doing this many times already and nothing was solved

I am building an IoT solution using the IoT Core. The end-user will be using Mobile App and will be authenticated and authorized using Cognito. I want to authorize users to allow iot:Publish and iot:Subscribe action only on the devices that the user owns. The IAM Role attached to the Cognito Identity pool has only iot:Connect permission when the user is created. The User won't have any additional permission at this point. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:1234567890:client/${cognito-identity.amazonaws.com:sub}" } ] } ``` Now, when the user finishes the device provisioning, I want to attach the inline Policy to Cognito identity of that user to authorize him to publish and subscribe to the shadow of that device. Let's assume the ThingName is Thing1 so the policy should be as below: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:1234567890:client/${cognito-identity.amazonaws.com:sub}" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Subscribe" ], "Resource": "arn:aws:iot:region:account-id:topic/$aws/things/Thing1/shadow/*" } ] } ``` The user may keep adding new devices and I want to scale this policy to include resource ARNs of those devices. This is an example of IoT Core, but my question is very generic to IAM policies. (e.g. the same can be applied to dynamically allow access to the S3 bucket folders) So, here is my question: 1. What is the best approach for dynamically adding or removing the inline policy granted to the Cognito identity? 2. Can I use the STS service for updating/attaching the policy on my backend/Lambda when new Things are added or removed? Note: 1. I can use the Customer Managed Policy, but it is not the right approach for granting policies to federated users as per my knowledge. 2. I know I can use the intelligent naming of the device as mentioned in this approach. But, I have a very basic requirement. https://aws.amazon.com/blogs/iot/scaling-authorization-policies-with-aws-iot-core/

When I log directly in the origin account I have access to target account S3: > [cloudshell-user@ip-10-0-91-7 ~]$ aws sts get-caller-identity { "UserId": "AIDAxxxxxxxxJBLJ34", "Account": "178xxxxxx057", "Arn": "arn:aws:iam::178xxxxxx057:user/adminCustomer" } > [cloudshell-user@ip-10-0-91-7 ~]$ aws s3 ls s3://target-account-bucket 2022-03-10 01:28:05 432 foobar.txx However if I do it after assuming a Role in that account I can't access the target account > [cloudshell-user@ip-10-1-12-136 ~]$ aws sts get-caller-identity { "UserId": "AROAxxxxxxF5HI7BI:test", "Account": "178xxxxxx057", "Arn": "arn:aws:sts::178xxxxxx4057:assumed-role/ReadAnalysis/test" } > [cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://targer-account-bucket > An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied [cloudshell-user@ip-10-1-12-136 ~]$ however I do have access to buckets in the origin account > [cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://origin-account > 2022-03-09 21:19:36 432 cli_script.txt the policy in the target-account-bucket is as follows: > { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::178xxxxxx057:root" }, "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::targer-account-bucket/*", "arn:aws:s3:::targer-account-bucket" ] }, there are no any explicit Deny policies that may apply thank you for any advice you can provide

I'm attempting to create a Lambda where I can make calls to various stored procedures and functions in my Aurora PostgreSQL dB instance. I'm following the guide on this page: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.Connecting.NET.html Eventually I want to connect this with Dapper, but for now I'm just trying to get the code from the above example to work. I am using the npgsql package and can successfully retrieve the RDSAuthToken via the RDSAuthTokenGenerator.GenerateAuthToken() function using the appropriate region endpoint, cluster endpoint, port number, and db user. The problem comes when I use the AuthToken I retrieved earlier to create a connection to the server: using NpgsqlConnection connection = new NpgsqlConnection($"Server=Cluster Endpoint;User Id=dB User;Password=AuthToken;Database=dB Instance name"); I am now getting this error: "28000: pg_hba.conf rejects connection for host \"172.31.30.255\", user \"dB User\", database \"dB Instance Name\", SSL off I'm not sure what I need to do to get this to work. As far as I can tell, I've done everything exactly as I was supposed to according to the guide in the documentation. I also created a user role with the specific permission for rds-db:connect for my specific dB user and dB instance id. My only guess is that I have failed to connect that authorization in some way to the actual dB user. I assigned that permission to a role with the same name, and then I created a dB user with that name in the dB and then granted it the rds_iam role, but it's not clear to me that the IAM user and the dB user would be connected yet. And I haven't been able to find examples online for how to connect them. It would be great to get a little help with this one. Thanks! Edit: I realized that my issue might be with the SSL Certificate path that is required at the end of the connection string in the example I linked above. I will keep looking into this, but I'm wondering if this will work to use in a Lambda if I have to reference a path to a certificate that I install on my computer. Although, I might not be understanding how this works.

I'm trying to run a task with an image from an ECR container in the same account. When I try to run the task, it fails, with the following message: "ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 1 time(s): AccessDeniedException: User: arn:aws:sts::XXXXXXXXX:assumed-rol..." I've tried following this help page: https://aws.amazon.com/premiumsupport/knowledge-center/ecs-unable-to-pull-secrets/ But most of the situations don't apply to me. Also, you will see that the error message is truncated. Do you know how to get the full error message?

I've edited a SQS with a incorrect policy (deny) and then I can't find the SQS in the SQS list console. Therefore, I can't delete it. Is there a way to delete the SQS or edit the SQS policy ?

I have an IAM Role created; currently assigned to an EC2 instance and works great. How do I dynamically assign the same IAM Role between an IAM user and an EC2 instance? Thanks!

Hi all, Disclaimer: New to AWS DevOps :) So I've a situation where we need to store all database schemas (Oracle database) in secrets manager, to meet secutiry compliance guidelines. - To limit my costs, I was thinking to put all application schema credentials, belonging to single RDS instance, under 1 secrets manager resource. - So there will be one-to-many relation between secrets-mgr resource & database schema creds, respectively - however, I also want to ensure ** each application has access to only their on schema creds, and not other schema creds in that particular secrets-mgr resource ** Question: Can I provide ** access to specific secret-key:secret-value, inside a secret, to app users **. Is this possible ? As going through docs, I dont see that being possible. Hope my questions is clear thanks in advance, J K

I do have an AWS EC2 and I'm unable to connect by SSH. Port 22 is open in the default AWS firewall (with my IP). I keep getting: Operation timed out I suspect that UFW or fail2ban block me. Is there a console in the AWS Panels can let me connect to this instance? Or an another way to connect to be able to unban me? Thank you.

Hello all! Is there currently a supported way of providing users with password expiry notifications via email? I've started putting something together using Lambda and the IAM credentials report, but that seems like a feature that might already exist - what would be the correct way to implement this?

Hi, Trying to set up cognito to use SES for sending emails. I have gotten the AWS account in question moved out of the SES sandbox and verified the email I wish to use. I have sent test emails from SES to my own email address to verify that the email works. When I try to assign the email to cognito in SES i get the following error: ``` code: InvalidParameterException message: Cognito received the following error from Amazon SES when attempting to send email: Email address is not verified. The following identities failed the check in region EU-WEST-1: arn:aws:ses:eu-west-1:<aws account id>:identity/info@<mydomain> ``` I have looked at the email and it is verified in SES in the eu-west-1 region. What is going on here?

Hi community, We are new to [AWS Secret Manger](https://aws.amazon.com/secrets-manager/) and we recently decided to adopt it as it's a secure way to store all the credentials, access keys, etc. One of the cloud expert mentioned that the secret manager CLI can be accessed only within AWS VPC. However, we are curious on ** whether AWS secret manager services (e.g., via CLI) can be accessed outside the AWS envrionment (such as development evironment set up in our laptop i.e. local machine) **as long as the IAM user has the appropriate permissions set to read the Secret Manager keys, without any needs for VPC/VPN or so.

Hello, I want to get IAM User list on my private EC2 instance without opening the 443 port for the whole world and one more thing it is it possible to get user list without internet access because I am using VPC endpoint for accessing the other services but IAM doesn't support the VPC endpoint, So, How should I get things works. Thanks.

I have a production web app created with AWS Amplify/Appsync Cognito working in one account. To improve security I am going to migrate to multi-account. I will use AWS control tower to create the new account structure and will re-create test and staging environments in a new account. That leaves production.... *** I have two ways forward for the production account and was wondering what the community thinks?*** **Option A ** - Create the new account structure then enroll the current production account into the new structure. The benefit being it is already working and ready to go, will just be a case of tightening up the permissions once the account is under the new structure. The risk is that I migrate it into the new structure and our production users cannot access the webapp anymore, and if that occurs how quickly can the account be un-enrolled from control tower? **Option B** - Create a whole new replica of production in the new account structure. Migrate dynamodb, cognito, lambdas, S3. Once the new environment is up and running simply switch over to the new-production and retire the old. This allows a quick reversion to the prior state if required. There is a chance something could be missed and it is time and complex to migrate all elements like DynamoDB and Cognito. What would you do?

In the examples of SQS Policy https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html I understand that I can set who is allowed to send messages to the SQS But how can I configure the policy to set who is allowed to read the SQS ?

What IAM policies can be used to replicate the two demos in [AWS Transfer Family Managed Workflows Demo | Amazon Web Services](https://www.youtube.com/watch?v=t-iNqCRospw)?

Hello, We are looking for recommendation that can help on the below part: We have integration of Salesforce with SDK part where Cognito Profile is leveraged for S3 bucket access. Now we looking for thing that ensure users are authenticated and authorized to only intended functions and information from the bucket. Also, like to understand how can be Policy and IAM Role(Auth_Role and UnAuth Role) used to restrict the access ? Or they have some other purpose. Thanks

I am trying to run an ansible script to generate an IAM user along with an attached policy allowing access to an S3 bucket. I am able to create a policy on the console using the same policy document, and have confirmed that the document is valid json. However I still see the error below. The document itself looks like this. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "SAImgBucket", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<s3-bucket-name>" ] } ] } ``` The ansible task is as below. ``` - name: create sa IAM user permissions community.aws.iam_policy: iam_type: user iam_name: "{{ sa_app_username }}" policy_name: "{{ sa_app_username }}-policy" state: present policy_json: " {{ lookup( 'template', 'template/sa_iam_policy.json.j2') | to_json }} " ``` Any suggestions on how to further debug or address this are greatly appreciated. ``` botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the PutUserPolicy operation: Syntax errors in policy. [DEPRECATION WARNING]: The skip_duplicates behaviour has caused confusion and will be disabled by default in Ansible 2.14. This feature will be removed from community.aws in a release after 2022-06-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. fatal: [localhost]: FAILED! => changed=false boto3_version: 1.18.18 botocore_version: 1.21.18 error: code: MalformedPolicyDocument message: Syntax errors in policy. type: Sender invocation: module_args: aws_access_key: null aws_ca_bundle: null aws_config: null aws_secret_key: null debug_botocore_endpoint_logs: false ec2_url: null iam_name: sa-103 iam_type: user policy_document: null policy_json: '"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"SAImgBucket\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:*\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::<bucket-name>\"\n ]\n }\n ]\n}\n"' policy_name: sa-103-policy profile: null region: null security_token: null skip_duplicates: null state: present validate_certs: true msg: 'An error occurred (MalformedPolicyDocument) when calling the PutUserPolicy operation: Syntax errors in policy.' response_metadata: http_headers: connection: close content-length: '279' content-type: text/xml date: Tue, 15 Feb 2022 17:45:05 GMT x-amzn-requestid: fce8efa1-7a86-468f-9481-264db52db33d http_status_code: 400 request_id: fce8efa1-7a86-468f-9481-264db52db33d retry_attempts: 0 ```

Hi Team, I have an app IAM user that has S3FullAccess permission I used the access key and secret access key of my IAM app user to create an s3 resigned URL for getObject, when I copy the generated pre-signed URL on a browser I get an error message : ``` <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>HFDGssffscSDQ4DEF</RequestId> <HostId>OXsT4/6tYWsdssyo0dxtFa7sdsdsThdFqsdsd4L+9CmiKP2tFyGsdsL8Pr0E0rkDgzHsddsMjdsdsdwc=</HostId> </Error> ``` I'm not sure why I have access denied even though my user has the right permissions? Default encryption (Enabled) = AWS Key Management Service key (SSE-KMS) any ideas, Thanks

Hi there, we have a timestream database in eu-west-1 region. I am trying to add this database to QuickSight to visualize it. All my attempts end up with "No tables found" during data source creation. Quicksight does not see my Timestream tables. Are there any permissions I must set to allow Quicksight listing my timestream tables? Can I find it anywhere in the documentation? All the tutorials "just work" or this part is skipped. Thanks for any advice. David

Hi there, I am trying to figure out the required permissions for a role to call rds:RestoreDBClusterToPointInTime. https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBClusterToPointInTime.html gives me some clue but I am not sure what I came up with is safe. I am trying to clone an Aurora MySQL 2 cluster. Via RDS API, I use rds:RestoreDBClusterToPointInTime and then rds:CreateDBInstance. By try and fail, I got it working with the policy expcert below: { Effect = "Allow" Action = [ "rds:AddTagsToResource", "rds:CreateDBInstance", "rds:DeleteDBInstance", "rds:DeleteDBCluster", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:RestoreDBClusterToPointInTime" ] Resource = [ "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:cluster:${var.destination_cluster_identifier}", "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:cluster:${var.source_cluster_identifier}", "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:cluster-pg:${aws_rds_cluster_parameter_group.this.name}", "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:subgrp:${aws_db_subnet_group.this.name}", "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:secgrp:${aws_security_group.rds.name}", "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:db:${local.rds_instance_name}" ] } Where I am uncertain is how can we make rds:RestoreDBClusterToPointInTime one way. That is, being able to limit what is the source and what is the destination. It looks like both source and destination clusters must be in the Resource block. Therefore, we can't limit what cluster is source and what cluster is destination. Is there a way to do so?

Hey! I'm trying to set up a new API Gateway through Terraform, and I'm having some trouble setting up the IAM policy for the cloudwatch logs role. I've created the log group, and set retention to 1 day, but I'm unable to create a policy that'll be accepted by the AWS console. My current (anonymised) effort looks like this: ``` { "Statement": [ { "Action": "logs:DescribeLogGroups", "Effect": "Allow", "Resource": "*", "Sid": "LogGroups" }, { "Action": [ "logs:PutLogEvents", "logs:GetLogEvents", "logs:DescribeLogStreams", "logs:CreateLogStream" ], "Effect": "Allow", "Resource": "arn:aws:logs:eu-west-1:123456789:log-group:API-Gateway-Execution-Logs_alphanum/stage:log-stream:*", "Sid": "LogStreams" } ], "Version": "2012-10-17" } ``` When I try to set the cloudwatch log arn in the console, I get an error ` The role ARN does not have required permissions configured. Please grant trust permission for API Gateway and add the required role policy. `. If I try to edit the policy in the visual editor, it doesn't seem to like the format of the resources, but I've checked those repeatedly against the docs. The trust relationship is straightfoward ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` Any ideas?

I want create a IAM policy/Tagging policy / SCP that should allow me to enforce user to create/add tags that are mandatory(mentioned in the policy), when they create resource(EC2,S3,VPC etc) on AWS.

When I try to access Lambda Dashboard/Functions from root account, I get this error: You do not have sufficient permission. Access denied.