Questions tagged with AWS Identity and Access Management

I'm in a cognito user pool configuration, and I tried to change the MFA requirement on the pool to allow TOTP. It gave me this error: > [AccessDeniedException] Failed to update MFA configuration for us-east-1_FLnPt9UKE > requestId: 0660fb15-2cc4-4f63-9c8f-657b71b320d9 > time: Sat May 21 2022 16:16:18 GMT-0400 (Eastern Daylight Time) > code: AccessDeniedException > message: User: arn:aws:iam::384426254369:root is not authorized to perform: iam:PassRole on resource: > arn:aws:iam::745623467555:role/cognito_sms_role because no resource-based policy allows the iam:PassRole > action I'm confused because I am logged into the console as the root user, which should have permission to EVERYTHING. I do not, however, really have a role named "cognito_sms_role." Is that the problem? If so, how do I fix it?

I have a flask application that needs to access some configuration files stored in s3 and I don't want to stored these in my git repo as there are sensitive information. I want to use boto3 to read in these files into the ec2 instance. **I need to know how I will be able to access those files on s3 using boto3**. The **ec2 instance is authorized to access the s3 bucket** and since the application will be running on the ec2 (that is authorized) is it safe to say that any code run on that instance will also have these access. Note that I am going to run these script to read in these "**config files**" from my **codedeploy "appspec.yml"**. In summary will my codeploy instance be able to use the authorization on my ec2 instance to access the said s3 bucket or **I need to give the codedeploy instance access too**? I am aware I can add my **access keys** in my **environment** on my computer to run this script but how does it work on codedeploy?

Cloudformation create-stack generates an Athena access denied while writing error. The problem is generated when writing to the athena-results bucket. I'm logged in with a SSO role with AdministratorAccess access via CLI. I can create the specified object from the command line via "aws s3 cp" and I'm able to execute "aws athena start-query-execution" without trouble. It's only via cloudformation. Bellow the specific error: ResourceStatus: CREATE_FAILED ResourceStatusReason: 'Resource handler returned message: "[Simba][AthenaJDBC](100071) An error has been thrown from the AWS Athena client. Access denied when writing to location: s3://cost-athena-results-123456789012/8fefd451-2a3f-4bc9-881e-84061de8db91.csv [Execution ID: 8fefd451-2a3f-4bc9-881e-84061de8db91]" (RequestToken: b0d4b7d5-998b-6ca8-22c6-657fa2433fe8, HandlerErrorCode: null)' ResourceType: AWS::QuickSight::DataSource

I use AWS S3 API to upload files to some buckets, however, I need to create a new user that only has permission to upload to certain buckets and only through restricted IPs, other IPs should be blocked. Another permission I need is to delete objects, but only from an allowed IP. Regarding the download, anyone on the internet can access this file (if they have the link). The problem is that I think I found some articles that would help me with this issue, but they don't tell me exactly which menu within the AWS Console I should access to be able to perform these actions. For example, this link ([https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html]()) seems to talk about how to restrict the access to a bucket, but it doesn't tell me exactly which location/menu in the console I use to access this setting. TLDR: What is the path/menu in the Console to set Policies and Permissions in Amazon S3 on a bucket in S3?

Hi , I created data delivery stream and create IAM role by default as proposed by AWS but still I got error "Access was denied. Ensure that the trust policy for the provided IAM role allows Firehose to assume the role, and the access policy allows access to the S3 bucket." While the IAM role is defined by AWS auto, what should I do now? If I need something to add what should I add, kindly need a brief help?

Hi, I am working through general LoRaWAN functions and applications as part of a larger IoT project. I'm having trouble connecting my gateway (Multitech Conduit) to AWS. I've gone through all the steps provided in the AWS help documentation and documentation from the manufacturer, including creating new Gateway Cert Manager permissions/roles (AWS steps here https://docs.aws.amazon.com/iot/latest/developerguide/connect-iot-lorawan-rfregion-permissions.html). Still, when I try to add my gateway I get an error message saying that I do not have the correct permissions set to add a gateway. Has anyone run into this? Is there a way to associate the role/permission with my IAM account? or should it be set for the root account?

Hi, I can't figure out which scp is Disallowing access to de rds-db:*... We have the Basic, out of the Box scp's enabled. Nothing else. The IAM policy generator states: ``` denied Denied by AWS Organizations. ``` And this also reflects in the IAM RDS connection: ``` FATAL: PAM authentication failed for user ``` Which according to the documentation indeed states the thing that the Policy generator finds... https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-connect-using-iam/

I created an IAM user and attached a [Permission Boundary Policy to it ](https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/). The permission boundary does not work when I deploy a CDK stack. My terminal setup with access_key_id, and secrete_access_key of the IAM user (attached permission boundary). ``` cdk deploy iamUserWitthAdminAccess ``` Here is the stack ``` new aws_iam.User( this, "IamUserWithAdminAccess", { managedPolicies: [ aws_iam.ManagedPolicy.fromAwsManagePolicyName("AdmininstratorAccess")] } ) ``` Then an IAM user with AdminAccess was able to created. Can any one explain? and what is the best practice to prevent CDK to create Admin Users?

I need to be able to guarantee that a user's actions can always be traced back to their account regardless of which role they have assumed in another account. What methods are required to guarantee this for? * Assuming a cross-account role in the console * Assuming a cross-account role via the cli I have run tests and can see that when a user assumes a role in the CLI, temporary credentials are generated. These credentials are seen in CloudTrail logs under responseElements.credentials for the assumeRole event. All future events generated by actions taken in the session include the accessKeyId and I can therefore track all of the actions in this case. Using the web console, the same assumeRole event is generated, also including an accessKeyId. Unfortunately, future actions taken by the user don't include the same accessKeyId. At some point a different access key is generated and the session makes use of this new key. I can't find any way to link the two and therefore am not sure of how to attribute actions taken by the role to the user that assumed the role. I can see that when assuming a role in the console, the user can't change the sts:sessionName and this is always set to their username. Is this the suggested method for tracking actions? Whilst this seems appropriate for roles within the same account, as usernames are not globally unique I am concerned about using this for cross account attribution. It seems placing restrictions on the value of sts:sourceIdentity is not supported when assuming roles in the web console.

Hi, I was able to configure AWS session manager to use SSH keys over session manager tunnel as it is described here -> https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html. But now i need to force user to provide SSH keys, because now, even tho i can use SSH keys to authenticate into the EC2 instance, im still able to to it without providing SSH keys, just by using `aws ssm start-session` command. As i suppose i can add some kind of policy for that, something like: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::accountid:user/test-user" }, "Action": [ "ssm:TerminateSession", "ssm:ResumeSession" ], "Condition": { "StringEquals": { "ssm:StartSession/RequireSSH": "True" ( parameters made up, by me ) } } } ] } ``` But im not sure what should be in the place of `"ssm:StartSession/RequireSSH": "True"`, Any help will be appreciated Joann

We would like to control which services are available for use in which accounts and regions while still being able to review everything: - Allow ReadOnly across all services in all regions - Allow Write on specified services in certain regions We are aware of the general policy to [restrict actions not in specific regions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region) but this is too restrictive and results in unnecessary confusion when users experience permission errors on various service dashboards. Thus far we have been unable to construct an SCP, or combination of SCPs, that provide the intended effect given [the attachment and size limits.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html#min-max-values) Is what we are looking for even possible with Service Control Policies alone? We would like to avoid: - Managing this via User/Role Permissions - Having "Bypass" Roles as shown in the documented example above.

We have setup an identity provider to use Azure AD to authenticate users that access an AppSteam stack. This is a new build. I used the link below to do the set up. Everything seems to be working from the authentication side as I can get logged in (can see the user logged if I'm logged into the console and then it refreshes when not using in private browser window). However, when it redirects to the AWS Appstream page, I'm getting Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400. This suggests a malformed relay state URL, but I have verified that it appears to be the correct syntax (variables and stack name case-sensitive). The SAML response appears to be clean using the browser code analysis tools and the SAML decoder. The only thing that seems odd is that cookie analysis from the browser reports the credentials are expired (there are several errors in the capture i.e. Cookie "aws-creds" has been rejected because it is already expired). The 400 response header shows the statement "expires:Tue, 03 Jul 2001..." which is bizarre. Any help would be greatly appreciated. https://aws.amazon.com/blogs/desktop-and-application-streaming/enabling-federation-with-azure-ad-single-sign-on-and-amazon-appstream-2-0/

_temp lake formation blueprint pipeline tables appears to IAM user in Athena editor, although I didn't give this user permission on them below the policy granted to this IAM user,also in lake formation permsissions ,I didnt give this user any permissions on _temp tables: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1652364721496", "Action": [ "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution", "athena:GetDataCatalog", "athena:GetDatabase", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:BatchDeleteTable", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition" ], "Resource": [ "*" ] }, { "Sid": "Stmt1652365282568", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::queryresults-all", "arn:aws:s3:::queryresults-all/*" ] }, { "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess" ], "Resource": [ "*" ] } ] }

Suppose I have a Cognito Identity Pool. I want to grab info about the user itself rather than their Cognito Identity ID. Is there any way to read off the principal tags from the assumed Cognito Identity or the underlying IAM Role? Alternatively I could parse the "sub" attribute from the oidc provider (via the cognito identity's amr block) and work backwards with the identity provider to get more info... but this is resource intensive and I see no reason why I can't access the principal tags passed into the cognito identity...

Hi, I need to assign ssh key pairs to the EC2 instances for multiple IAM users. So what i want to have: IAM users `[user1,user2,user3]`, out of them `[user1,user2]` should have separate (each IAM user should have its own user in VM) SSH access to the `[VM-1,VM-2]` EC2 instances, and the `[user3]` should have access **only** to the `[VM-3]` instance. Do i need to generate ssh key pairs, create users inside the EC2 instance, assign permissions for those users - manually, and then also manually add those SSH pub keys in the EC2 instances? Or AWS has service that can do it automatically for me? Joann

hello. I'd like to get a secret key and access key ID as a cognito license. ``` cognitoUser.authenticateUser(authenticationDetails, { onSuccess: function (result) { const idToken = result.getIdToken().getJwtToken(); AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:7fc9xxxx-xxxx-xxxx-xxxxx-xxxxx', Logins: { 'cognito-idp.ap-northeast-2.amazonaws.com/userPoolid': idToken, }, }) } ``` On the Cognito aws Identity Pool page, it is confirmed that the identity browser has become a credential. However, in getCredentials, "Could not load credentials from CognitoIdentityCredentials" is generated. ``` AWS.config.getCredentials(function (err) { if (err) return console.error(err.stack); else console.log('Access key:', AWS.config.credentials.accessKeyId); }) ``` If you look at the AWS.config.credentials console log, there are no values other than the parameters you put in. Problem not found. Is it right to get the secret key issued through Cognito Identity Credentials?

I have a Lambda function that is supposed to pass its own permissions to the code running in an ECS task. It looks like this: ``` ecs_parameters = { "cluster": ..., "launchType": "FARGATE", "networkConfiguration": ..., "overrides": { "taskRoleArn": boto3.client("sts").get_caller_identity().get("Arn"), ... }, "platformVersion": "LATEST", "taskDefinition": f"my-task-definition-{STAGE}", } response = ecs.run_task(**ecs_parameters) ``` When I run this in Lambda, i get this error: ``` "errorMessage": "An error occurred (ClientException) when calling the RunTask operation: ECS was unable to assume the role 'arn:aws:sts::787364832896:assumed-role/my-lambda-role...' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role." ``` If I change the task definition in ECS to use `my-lambda-role` as the task role, it works. It's specifically when I try to override the task role from Lambda that it breaks. The Lambda role has the `AWSLambdaBasicExecutionRole` policy and also an inline policy that grants it `ecs:runTask` and `iam:PassRole`. It has a trust relationship that looks like: ``` "Effect": "Allow", "Principal": { "Service": [ "ecs.amazonaws.com", "lambda.amazonaws.com", "ecs-tasks.amazonaws.com" ] }, "Action": "sts:AssumeRole" ``` The task definition has a policy that grants it `sts:AssumeRole` and `iam:PassRole`, and a trust relationship that looks like: ``` "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", "AWS": "arn:aws:iam::account-ID:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS" }, "Action": "sts:AssumeRole" ``` How do I allow the Lambda function to pass the role to ECS, and ECS to assume the role it's been given? P.S. - I know a lot of these permissions are overkill, so let me know if there are any I can get rid of :) Thanks!

I am exploring how to delegate Cloudformation permission to other users by testing specifying a role when creating a stack. I notice that some resources like VPC, IGW and EIP can be created but error was prompted. The created resources cannot be deleted by the stack also during rollback or stack deletion. For example, the following simple template create a VPC: ``` Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.3.9.0/24 ``` I have actually created a role to specify during creation with policy which allow a lot of actions that I collected by querying the cloudtrail using athena. The following are already included: `"ec2:CreateVpc","ec2:DeleteVpc","ec2:ModifyVpcAttribute"` However, the following occur during creation: > Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: bf28db5b-461e-48ff-9430-91cc05be77ef)" (RequestToken: bc6c6c87-a616-2e94-65eb-d4e5488a499a, HandlerErrorCode: AccessDenied) Looks like some callback mechanisms are used? The VPC was actually created. The deletion was also failed but it did not succeeded. > Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: f1e43bf1-eb08-462a-9788-f183db2683ab)" (RequestToken: 80cc5412-ba28-772b-396e-37b12dbf8066, HandlerErrorCode: AccessDenied) Any hint about this issue? Thanks.

Hi, I want to forbid IAM user (for example: support-IAM ) to authenticate to the EC2 instance user ( for example : root-EC2 ), but still be able to authenticate as other EC2 instance user ( for example: support-EC2 ) , for that, as i understood i need to forbid this user to set `--tags` with value `root-EC2` (or in my case, everything **except** `support-EC2`) while using command `aws sts assume-role`, but how can i do it? P.S im using `AWS session manager` Joann

When I create a new IAM role, in this case I am doing this in order to create an Export Job in AWS RoboMaker I get the following error: >AccessDeniedException: User: arn:aws:iam::xxxxxxxxxxxx:user/xxxxxx@xxxxxx.it is not authorized to perform: iam:CreatePolicy on resource: policy AWSRoboMakerWorldForgePolicy_eeb50488-b552-91a1-3857-f28790842fd1 because no identity-based policy allows the iam:CreatePolicy action The point is that everytime I try to create the Export Job with the same settings (same S3 bucket as an output, same IAM role name), this error appears with the same structure, but with a different alpha-numeric sequence after the "AWSRoboMakerWorldForgePolicy_", hence it is unseful also to ask for this permission since it is always different. Does anyone have any idea?

I have a requirement to get data from aws using IAM API's , so I have access key , secret key , base url , service name and region of aws account we are trying to authenticate with bearer token , but we are getting the following error , I have generated bearer token using aws cli. URL : https://iam.amazonaws.com/?Action=ListGroups&Version=2010-05-08&access_token=<<token>> https://iam.amazonaws.com/?Action=ListGroups&Version=2010-05-08&Authorization=Bearer <<token>> Error : is not valid; the value of a query string parameter may not contain a '=' delimiter

We are evaluating Babelfish migration from SQL Server but would like to know does IAM authentication works with Babelfish? Any guidance would be greatly appreciated.

I need to delete a user from our system access. When I delete the user does all of their uploaded files remain in the system or do they delete too?

Hi, My first question - https://repost.aws/questions/QUS8M4w0jkS8iV6EzPmaRmag/ssh-key-managment-for-multiple-accounts Im trying to use "AWS system manager" - "session manager". As i was advised in my previous question, to be able to login into the EC2 instances located in multiple accounts, i will need to do something similar to https://aws.amazon.com/blogs/mt/vr-beneficios-session-manager/ But the problem is that i need to have for each IAM user their own user in EC2 instance, as i found out, i need to pass tag "SSMSessionRunAs" with the value of the username to witch im login in. But if i will use "group" roles (roles assigned for multiple users), they will be authenticating with the same user in EC2 instance, which will not work for me. Does that mean, that in my case i will need to create a role for each IAM user? or i can change tag of the role depending on the user assuming this role? Thank you very much. Joann

Hi, We need to achieve: 1) Possibility to create/delete ssh key pairs for instances hosted in multiple accounts, in one place (centralization) 2) Possibility to assign permissions for the user we are ssh'ing into inside the instance, for example : IAM - admin user, should have admin ssh key, which will give full read/write permissions in virtual machine in which user is ssh'ing, and the IAM - support user, should have support ssh key, which will give less permissions. Any suggestions, in what we can look into, are welcome. As i googled a bit, the "AWS system manager" - "session manager" looks like it would work for us, but does it work for instances hosted in multiple accounts? Joann

My AWS account has been hacked, lots of technical things have been created that I don’t understand (VPS, Network Interfaces and such like) and I cannot delete them, nor get any Amazon customer ‘support’. What should I do??

How do I create a role for AWS Batch jobs on EC2 using the CLI? The role needs to have read-write permissions to an S3 bucket, e.g. s3://mybucket234. The role will be needed for the "aws batch create-compute-environment" command.

Hi Team need to check if I have some Ecs task running on farget cluster I need to access task using RDS so can I get to know which iam policy do I need to give in ecs task role

We just had a pen test completed and one of the items was our password policy. I was looking at changing it, and I found this page: https://docs.aws.amazon.com/singlesignon/latest/userguide/password-requirements.html. It describes the password policy for the SSO identity store (which we are using), but not how to change the policy. Is it possible to change a password policy for the SSO identity store? Thanks!

I'd like to request to S3 as a cognito certification qualification. S3 is using sdk Cognito is using amplify. Use an angular typescript. I would like to replace the secret key with the cognito authentication information when creating S3. I want to access s3 with the user I received from Auth.signIn, but the credentials are missing. I need your help. ``` public signIn(user: IUser): Promise<any> { return Auth.signIn(user.email, user.password).then((user) => { AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', }); const userSession = Auth.userSession(user); const idToken = userSession['__zone_symbol__value']['idToken']['jwtToken']; AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', RoleArn: 'arn:aws:iam::111111111111:role/Cognito_role', Logins: { CognitoIdentityPool: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', idToken: idToken, }, })); const s3 = new AWS.S3({ apiVersion: '2012-10-17', region: 'ap-northeast-2', params: { Bucket: 'Bucketname', }, }); s3.config.credentials.sessionToken = user.signInUserSession['accessToken']['jwtToken']; s3.listObjects(function (err, data) { if (err) { return alert( 'There was an error: ' + err.message ); } else { console.log('***********s3List***********', data); } }); } ``` bucket policy ``` { "Version": "2012-10-17", "Id": "Policy", "Statement": [ { "Sid": "AllowIPmix", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::s3name/*", } ] } ``` cognito Role Policies - AmazonS3FullAccess ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", ], "Resource": "*" } ] } ```

I would like IAM Access Analyzer to alert me when a role is permitted to be assumed by GitHub. Backround: I'm using GitHub actions, which use OIDC to assume roles in my AWS account. IAM Access Analyzer does allow me to define archive rules using the OIDC principal, which is part of the solution. But I also want to check that the roles are limiting based on conditions, such as the repo name. At the moment, it appears only Facebook/Google/Amazon/Cognito is supported. This is what I'd like to check for: "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::xxxx:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": "repo:mygithuborg/mygithubrepo:*" } }

I am trying to provide feedback on this [IAM docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) page. When I click the feedback link, it takes me to [here](https://docs-feedback.aws.amazon.com/feedback.jsp?hidden_service_name=IAM&topic_url=https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) which fails when I submit with this error: ``` HTTP Status 400 – Bad Request Type Exception Report Message Request header is too large Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing). Exception java.lang.IllegalArgumentException: Request header is too large org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:629) org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:535) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:847) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1680) org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Thread.java:750) Note The full stack trace of the root cause is available in the server logs. Apache Tomcat/8.5.75 ``` Consequently, I'll provide my feedback here. Reading over the docs [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html) it would appear you are using the wrong condition operator modifier on [this page](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) Wouldn't this require that `SourceIdentity` be set to both `Saanvi` and `Diego`, not either or: ``` "StringLike": { "sts:SourceIdentity": [ "Saanvi", "Diego" ] } ``` Shouldn't it be?: ``` "ForAnyValue:StringEquals": { "sts:SourceIdentity": [ "Saanvi", "Diego" ] } ``` Also you appear to arbitrarily be using `StringLike` instead of `StringEquals` throughout: ``` "Condition": { "StringLike": { "sts:SourceIdentity": "${aws:username}" } } ``` Although there are no wildcards in this if you want an exact match, wouldn't it be more clear to use `StringEquals`?

Hi There! I have successfully created a Service Catalog with related Portfolio and Products when my users were IAM users. I am have issues adding the SSO (sync'd with AD) users to the Portfolio though. When following this step: https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-deploy.html. It's not clear how I can add an SSO group instead of an IAM group. ASK: Is it possible to add an SSO user to the Service Catalog Portfolio? If so how? Many thanks in advance!

Suppose I have a generic OIDC provider that mints ID Tokens and I pass one to AWS (through an AWS OIDC Provider and connecting something like a Cognito Identity Pool) to receive STS credentials in return. When those credentials expire, I do it again and get new credentials. Suppose I'm dumb, have an insecure app, or have dumb users falling for phishing scams and leaking out their OIDC ID Token. Are there any measures in place/possible to implement that prevents someone else from getting STS credentials using that same token? (i.e. MTLS, DPoP)

I am trying to implement a proxy to our Aurora instance, but having difficulty getting the IAM access to work properly. We have a microservice in an ECS container that is attempting to access the database. The steps I've followed so far: * Created a secret containing the DB credentials * Created the proxy with the following config options: * Engine compatibility: MySQL * Require TLS - enabled * Idle timeout: 20 minutes * Secret - Selected DB credential secret * IAM Role - Chose to create new role * IAM Authentication - Required * Modified the policy of the proxy IAM role as per the details on [this page](https://aws.amazon.com/getting-started/hands-on/set-up-shared-database-connection-amazon-rds-proxy/). * Enabled enhanced logging When issuing GET requests to the microservice, I see the following in the CloudWatch logs: > Credentials couldn't be retrieved. The IAM role "arn:our-proxy-role" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:our-db-credential-secret" Another interesting wrinkle to all of this: I pulled up the policy simulator, selecting the RDS proxy role and all of the actions under the Secrets Manager service, and all actions show up as being allowed. I would sincerely appreciate any kind of guidance to indicate what I'm missing here.

While setting up the Environment and Project Settings in the Unreal Plugin, can a game developer use STS tokens to get the Key, Secret and Token?

The following trust policy is the default trust policy for an EC2 instance role. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "Service": [ "ec2.amazonaws.com" ] } } ] } ``` Is it possible to limit this trust policy to allow the role to only be attached to a specific instance? I know that it would be possible to only grant the IAM permissions to a user to pass this role to a specific instance but I would also like to limit the scope of this role to a specific instance at the same time.

We need to use OKTA as the entry point for users to gain access to CloudWatch dashboards, since we do not want to create new AWS accounts to allow users to use them

hi, i am following the aws amplify tutorial ( https://docs.amplify.aws/start/getting-started/installation/q/integration/angular/ ) and i want to create my first iam user via console ( https://us-east-1.console.aws.amazon.com/iamv2/home#/users ) but i get an "Unknown error" every time i press the "Add users" button (see screenshot https://imgur.com/a/SX3KrGw ). trying to open "Account settings" ( https://us-east-1.console.aws.amazon.com/iam/home#/account_settings ) leads to the same problem. i am logged in with the root user and don't know what to do. Can you help me or point me in the right direction to solve the issue? Thanks and greetings!

Multiple blogs and documents suggested that a Google workspace user can be assumed to an IAM role. However, is it possible to map a Google workspace user group with one or multiple IAM roles? If I understand correctly, IAM federation with Azure AD DC supports idp user group to iam role mapping. But not sure if the support is one-to-one or many-to-many type. Thanks!

Hi, I am looking for a IAM policy with limited access that would allow a user to sign in to the AWS console. From there the user would only be able to press the button to switch to another role. The user should only be able to "Switch Role" and that's it. Not additional access is needed other than Switch Role. For example: [Main AWS Console Account] ----> (press the "Switch Role" button and enter AWS Account ID and Role) ----> [In New AWS Console Role] The idea is to use the main account as to jump onto other accounts but with limited permissions to the main account.

Is it possible to have different login URLs for different IAM users or for different stacks of the same root account? e.g. user IAM 1 -> linkA userIAM2 -> linkB or Stack1 -> linkA Stack2 ->linkB what I need is: to deploy an application with different settings for different end-users, if possible with different login links. Then give the user a chance to see their stack and fleet belong. Do you have any suggestions on how to do that? Thanks in advance.

I noticed this question from 4 years ago: https://repost.aws/questions/QUjjIB-M4VT4WfOnqwik0l0w/verify-open-id-connect-token-generated-by-cognito-identity-pool So I was curious and I looked at the JWT token being returned from the Cognito Identity Pool. Its `aud` field was my identity pool id and its `iss` field was "https://cognito-identity.amazonaws.com", and it turns out that you can see the oidc config at "https://cognito-identity.amazonaws.com/.well-known/openid-configuration" and grab the public keys at "https://cognito-identity.amazonaws.com/.well-known/jwks_uri". Since I have access to the keys, that means I can freely validate OIDC tokens produced by the Cognito Identity Pool. Moreso, I should be also able to pass them into an API Gateway with a JWT authorizer. This would allow me to effectively gate my API Gateway behind a Cognito Identity Pool without any extra lambda authorizers or needing IAM Authentication. Use Case: I want to create a serverless lambda app that's blocked behind some SAML authentication using Okta. Okta does not allow you to use their JWT authorizer without purchasing extra add-ons for some reason. I could use IAM Authentication onto the gateway instead but I'm afraid of losing formation such as the user's id, group, name, email, etc. Using the JWT directly preserves this information and passes it to the lambda. Is this a valid approach? Is there something I'm missing? Or is there a better way? Does the IAM method preserve user attributes...?

I am new to AWS and I am the sole admin in my subscription. I am a member of the `Admins` group, and have the `AdministratorAccess` policy. Yet, when I try to use the Apache Superset reference deployment (https://aws.amazon.com/quickstart/architecture/apache-superset/), I am getting the following error: `AccessDenied. User doesn't have permission to call ec2:DescribeAvailabilityZones.` I have tried to create a new Policy with specific EC2 permissions, but it has not helped. Please help!

Hi, Im trying to achieve the "role chaining" as in the https://aws.plainenglish.io/aws-iam-role-chaining-df41b1101068 i have an user `admin-user-01` with policy assigned: ``` { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<accountid>:role/admin_group_role" } } ``` I have a role, which is meant for `admin-user-01`, with `role_name = admin_group_role` and trust policy = ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:user/admin-user-01" }, "Action": "sts:AssumeRole" } ] } ``` And it also has a policy: ``` { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<accountid>:role/test-role" } } ``` Then, i have another role, which is assigned for the role above (`admin_group_role`), with `role_name = test-role` and trust policy = ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:role/admin_group_role" }, "Action": "sts:AssumeRole" } ] } ``` But when i login as `admin-user-01` into account, then switch to the role `admin_group_role` and then try to switch to role `test-role` i get : `Invalid information in one or more fields. Check your information or contact your administrator.` P.S everywhere <accountid> is the same, all of the roles,users,permissions are created in the same account ( what, i suppose might be the reason why i face the error ) What am i doing wrongly?

Hi, I have private snapshots in one account (source) that I have shared with another account (target). I am able to see the snapshots themselves from the target account, but the tags are not available, neither on the console nor via the cli. This makes it impossible to filter for a desired snapshot from the target account. For background, the user in the target account has the following policy in effect: ``` "Effect": "Allow", "Action": "ec2:*", "Resource": "*" ``` Here's an example of what I'm seeing; from the source account: ``` $ aws --region us-east-2 ec2 describe-snapshots --snapshot-ids snap-XXXXX { "Snapshots": [ { "Description": "snapshot for testing", "VolumeSize": 50, "Tags": [ { "Value": "test-snapshot", "Key": "Name" } ], "Encrypted": true, "VolumeId": "vol-XXXXX", "State": "completed", "KmsKeyId": "arn:aws:kms:us-east-2:XXXXX:key/mrk-XXXXX", "StartTime": "2022-04-19T18:29:36.069Z", "Progress": "100%", "OwnerId": "XXXXX", "SnapshotId": "snap-XXXXX" } ] } ``` but from the target account ``` $ aws --region us-east-2 ec2 describe-snapshots --owner-ids 012345678900 --snapshot-ids snap-11111111111111111 { "Snapshots": [ { "Description": "snapshot for testing", "VolumeSize": 50, "Encrypted": true, "VolumeId": "vol-22222222222222222", "State": "completed", "KmsKeyId": "arn:aws:kms:us-east-2:012345678900:key/mrk-00000000000000000000000000000000", "StartTime": "2022-04-19T18:29:36.069Z", "Progress": "100%", "OwnerId": "012345678900", "SnapshotId": "snap-11111111111111111" } ] } ``` Any ideas on what's going on here? Cheers!

I'm trying to register my AWS DeepLens v1.0 but I'm failing at step 1 "Autorizations". As soon as I load the page, there's a red panel showing "The security token included in the request is invalid". And if I enter a name then click the "create roles" button, same thing. The browser JS console is showing "POST https://iam.amazonaws.com/ 403", so I suppose I could manually add some roles in my IAM user profile, but I'm new with AWS, and don't have any clue. Can someone help me ?

While trying out https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html, getting the below error. What STS is actually looking for the validation? If the IDP's jwks url contains multiple certificates, can it handle token signature validation? ``` <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <Error> <Type>Sender</Type> <Code>InvalidIdentityToken</Code> <Message>Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements</Message> </Error> <RequestId>dfd6341d-9686-4acb-8e41-03471c6f5ef0</RequestId> </ErrorResponse> ```

We are trying to setup AWS Polly to use inside a Unity project. Currently we are getting this error: "Invalid identity pool configuration. Check assigned IAM roles for this pool" We have added Polly permissions to the IAM (find screenshots below): https://ibb.co/ThL6mcc https://ibb.co/kqcSTP3 And set up an identity, with unauthorised access, pointing to the IAM containing Polly permissions (find screenshot below). https://ibb.co/TthT7xs Before we linked Identity to the IAM, the error we were getting was pointing towards a lack of permissions for Polly, so it appears that code on the Unity side is working as expected. What are the steps we need to take in order to set up the identity pool configuration to work with unauthorised access? The project we are working on is a site based VR experience, and we are managing all of the machines ourselves, so we have no need for user authentication.

Is it possible to give access only to a certain image, stack, or fleet with IAM policies? Do you have any examples? I tried with a policy but it returns this error: > User: arn:aws:iam::xxxxxxxxx:user/xxxxxxxx is not authorized to perform: appstream:DescribeFleets on resource: arn:aws:appstream:eu-central-1:xxxxxxxxxxx:fleet/* because no boundary policy allows the appstream:DescribeFleets action > My need is: in an AWS account, an IAM user must only see some image/fleet/stack. thanks

Hello there, I have a Lambda that is trying to move a file from S3 to a Windows EC2 instance. I am using `ssm` to do it. When I get granular with the perms I get the following error: ``` 2022-04-19T20:32:15.502Z 5737b35c-6d81-471f-b29c-3fd23f1a5123 INFO AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/userxyz is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript because no identity-based policy allows the ssm:SendCommand action ``` If I attached the `AmazonSSMFullAccess` policy to the IAM Role, it works. Which other perm do I need to add so that I do not grant the very permissible managed policy? _Edit:_ Forgot to attach the policy ``` { "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ssm:*:xxx:document/*", "arn:aws:ec2:*:xxx:instance/*" ] } ```

Can we access and use multiple roles from a single user simultaneously(using STS assumeRole api right now)? My use case requires creation of different roles which have their specific policies assigned, and I need a different way other than creating one user per role sort of like a multiple account access. Instead of creating 1 user per role, is there any way that a single user can access/assume resources of multiple roles/accounts simultaneously?

Is there a full example in C++ using the STS service? https://sdk.amazonaws.com/cpp/api/LATEST/namespace_aws_1_1_s_t_s.html I looked at https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code but didn't find anything relevant.

I have created a CloudFormation Stack using the below template in the **us-east-1** and **ap-south-1** region AWSTemplateFormatVersion: "2010-09-09" Description: Template for node-aws-ec2-github-actions tutorial Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Sample Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: "ami-0d2986f2e8c0f7d01" #Another comment -- This is a Linux AMI InstanceType: t2.micro KeyName: node-ec2-github-actions-key SecurityGroups: - Ref: InstanceSecurityGroup BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 8 DeleteOnTermination: true Tags: - Key: Name Value: Node-Ec2-Github-Actions EIP: Type: AWS::EC2::EIP Properties: InstanceId: !Ref EC2Instance Outputs: InstanceId: Description: InstanceId of the newly created EC2 instance Value: Ref: EC2Instance PublicIP: Description: Elastic IP Value: Ref: EIP The Stack is executed successfully and all the resources are created. But unfortunately, once the EC2 status checks are initialized the Instance status check fails and I am not able to reach the instance using SSH. I have tried creating an Instance manually by the same IAM user, and that works perfectly. These are the Policies I have attached to the IAM user. Managed Policies * AmazonEC2FullAccess * AWSCloudFormationFullAccess InLine Policy { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetRole", "iam:GetInstanceProfile", "iam:DeleteRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:CreateRole", "iam:DeleteRole", "iam:UpdateRole", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListAllMyBuckets", "s3:CreateBucket", "s3:DeleteObject", "s3:DeleteBucket" ], "Resource": "*" } ] } Thanks in advance for helping out. Have a good day

I'm trying to configure the AWS S3 service to download the included files in a bucket using Unity for mobile. I downloaded the SDK package and I got it installed. From AWS console I set up a IAM policy and roles for unauth users I created a Cognito IdentityPool and got the relative id I set up the S3 bucket and its policy using the generator, including the **arn:aws:iam::{id}:role/{cognito unauth role}** and the resource **arn:aws:s3:::{bucket name}/***. In code I set credentials and region and create CognitoAWSCredentials (C# used) ```C# _credentials = new CognitoAWSCredentials(IdentityPoolId, _CognitoIdentityRegion); ``` then I create the client: ```C# _s3Client = new AmazonS3Client(_credentials, RegionEndpoint.EUCentral1); // the region is the same in _CognitoIdentityRegion ``` I then try to use the s3Client to get my files (in bucketname subfolders) ``` private void GetAWSObject(string S3BucketName, string folder, string sampleFileName, IAmazonS3 s3Client) { string message = string.Format("fetching {0} from bucket {1}", sampleFileName, S3BucketName); Debug.LogWarning(message); s3Client.GetObjectAsync(S3BucketName, folder + "/" + sampleFileName, (responseObj) => { var response = responseObj.Response; if (response.ResponseStream != null) { string path = Application.persistentDataPath + "/" + folder + "/" + sampleFileName; Debug.LogWarning("\nDownload path AWS: " + path); using (var fs = System.IO.File.Create(path)) { byte[] buffer = new byte[81920]; int count; while ((count = response.ResponseStream.Read(buffer, 0, buffer.Length)) != 0) fs.Write(buffer, 0, count); fs.Flush(); } } else { Debug.LogWarning("-----> response.ResponseStream is null"); } }); } ``` At this point I cannot debug into the Async method, I don't get any kind of error, I don't get any file downloaded and I even cannot check is connection to AWS S3 has worked in some part of the script. What am I doing wrong? Thanks for help a lot!

Hello, I (account #A) have given access to an external account (account #B) in an S3 bucket with the canonical ID. However, and when I try to download a file to an EC2 bucket, it's still producing the error: ``` fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden ``` I'm trying to follow the instructions at https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/. I think that points 2 and 3 have been taken care of (although I used the console). The issue is that for point 1, I'm starting from https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html and the JSON policy reads: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::***********:user/********" }, "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::cmaq-database/*" } ] } ``` However, the console is not accepting it claiming: '*This policy contains the following error: Has prohibited field Principal*." Thanks.

I'm getting the following error when I run a Glue Crawler on an S3 bucket: > ERROR : Not all read errors will be logged. com.amazonaws.services.s3.model.AmazonS3Exception: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; The S3 bucket has default "Amazon S3-managed keys (SSE-S3)" encryption enabled, not a CMK from KMS. The Glue Crawler has an IAM role with the managed policy AWSGlueServiceRole and a policy that was created by the wizard: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::<bucket-name>/*" ] } ] } ``` This previous post also has a 403 and was solved by adding GetObject permissions to the specific bucket, which I already have. I'm also not using a VPC endpoint, which is one of the possible problems listed on [this AWS help article](https://aws.amazon.com/premiumsupport/knowledge-center/glue-403-access-denied-error/). And i do NOT have Requester Pays turned on. It's all in the same AWS account. The default private bucket settings are checked, and there's no bucket policy.

I want to find out how can we audit AWS events/logs to see when lucidscale (a third party application) makes a connection. I already looked into AWS CloudTrail, CloudWatch but I didn't find anything there. Here is the link that shows how I imported AWS data to LucidScale for diagramming purpose: https://lucidscale.zendesk.com/hc/en-us/articles/4407993351188#import-aws-accounts-and-create-models-via-cross-account-role (Import AWS Accounts and Create Models via Cross-Account Role) Thanks for your help.

We have a number of fleets already set up and those are working fine but one of the newer fleets that I have created has an issue when new users try to launch and log into Appstream instances that belong to the said fleet. The password that is used is correct but they sometimes get an incorrect password error and then it pops up "An unknown error occurred (1909)". The strange part about it all is that I encountered a similar problem when I first launched and logged in to an instance on the fleet. It took about four or five attempts before it worked. Since that successful sign in, I only encounter the above error occasionally but it works most of the time. Unfortunately, the same doesn't seem to be happening for the newer users that have been assigned access to it. So my questions are, why is this happening in the first place and why is it allowing few users that have signed in previously but none of the new users? FYI, we use Okta as our identity provider. Any advice you may be able to provide would be most appreciated. Thanks and regards, Diem

Hello, I'm writing terraform manifest, i create roles,groups, users, and assigned users to those groups, now i want to assign roles to groups, i was not able to find anything about that by googling, except this https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/examples/iam-group-with-assumable-roles-policy, which apparently doesn't do what i need. Any suggestions? is it even possible?

I am having issues setting up the required IAM access for cross account backups. As I understand the requirements there are four places to configure IAM access: Source Account (management account) Backup Vault Source Account (management account) Resource Assignment Target Account Backup Vault Target Account IAM access role From the AWS Backup Developer Guide p162 I understand that the IAM roles in the Source and Target accounts, Backup Vaults, and the Backup Vault permissions need to match. I have the following configured: Source Account Backup Vault Access – “Allow Access to Backup Vault from Organisation” Source Account Resource Assignment – Role with default policy called “AWSBackupOrganizationAdminAccess” Target Account Backup Vault Access - “Allow Access to Backup Vault from Organisation” Target Account IAM access role - Role with default policy called “AWSBackupOrganizationAdminAccess” I have followed the setup guide to enable cross account backups for my AWS organization. When I run a backup job for an EC2 server in the target account I get the following error: Your backup job failed as AWS Backup does not have permission to describe resource <aws ec2 arn> I assume that somewhere I do not have the IAM access configured correctly. As there are four places where I can configure IAM access how do I track down where the issue is?

Good day Cognito can enforce MFA across the whole pool, which enforces the MFA setup auth flow, even for users that hasn't set up TOTP yet. However, when making the pool MFA optional then setting TOTP MFA required on a user fails with the error: *User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA* However, as mentioned, when enforcing MFA globally this is not an issue. How then can one force MFA auth flow when using TOTP only on a per-user basis? What we've discovered thus far, when explicitly calling associateSoftwareToken after a login (without MFA), one can set a user to REQUIRED with SOFTWARE_TOKEN_MFA, however the auth flow is still not enforced and there is no way with the API to discover whether the MFA is functional. We have the requirement to have per-user MFA requirements. We believe this is in fact a bug. Currently we are forced to either manually implement MFA in our app itself, or force MFA globally for all users.

Hi, I create an identity broker to access AWS Console by following the 'Example code using Python' in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html. It works on my desktop. I can run the python code and generate valid AWS Console URL with assume role. However, when I migrate the code into lambda by assuming the same role, I failed at requests.get(request_url) with 400 error. In my code, lambda has assumed the role successfully. Why the assumed role can generate AWS Console url in my desktop but failed in lambda?

Trying to export the VM with the following command ``` aws ec2 export-image \ --image-id ami-02c7de82603c5f32e \ --disk-image-format VMDK \ --s3-export-location S3Bucket=auditor-updates,S3Prefix=export/ ``` And getting the following error: `An error occurred (InvalidParameter) when calling the ExportImage operation: Access denied to the bucket auditor-updates` The bucket and the folder definitely exist, typo is impossible. I launched the command under the AWS CLI credentials corresponding to the DevOps role, however, I also tried root access just to make sure actual account permissions are not the reason.

As a root user, I created an environment in Cloud9, then created IAMS users and gave them RW access to the environment, which I can see has worked when I click the Share button on the upper left corner of the environment, but when they log in and go to Cloud9 they can see the card for the environment but 'Open IDE' is grayed out and they can't access it. Sigh.

I'm trying to export the image of an EC2 VM: t2.medium, Ubuntu 20.04 LTS. The instance is stopped during the operation. I created the [vmimport role](https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#vmimport-role), created a service role and a role policy as described. AWS CLI credentials correspond to a DevOps role, which should be sufficient for the operation. The resulting command looks like ``` aws ec2 export-image \ --image-id ami-09e67e426f25ce0d7 \ --disk-image-format VMDK \ --s3-export-location S3Bucket=auditor-updates,S3Prefix=export/ ``` Command returns the error `An error occurred (InvalidParameter) when calling the ExportImage operation: The image ID (ami-09e67e426f25ce0d7) provided does not exist` AMI ID typo is impossible, I just copied it from the instance page of the EC2 console. If I met any export limitations, how do I know which exactly?

Can multiple developers use our same AWS Account. If so, what is the difference between Root access and Console Access? Where should I set the new developer up? He will need to create containers, configure servers and clients in macOS.

I have created EMR default roles by `aws emr create-default-roles` and then want to create an EMR cluster. But when I click the "create cluster" button, it says: ```An error occurred (AccessDeniedException) when calling the RunJobFlow operation: Failed to authorize instance profile arn:aws:iam::011476750252:instance-profile/EMR_EC2_DefaultRole``` Do I miss some permissions or did anything else cause this? Thanks very much.

When i access the Lambda console a message pops up saying I don't have permisions. But i am using Administrator user (with AdministratorAccess Policy) and even tried with my root access. Was able to do this a couple of days back, but have not success since creating an Administrator user

I am trying to figure out how to download file(s) from S3, using an SSM Automation document. Note, this is not a "Command" document type, as I need to use Assume Role. The instances themselves shouldn't have access to the bucket by default, which is why I need the Assume Role bit. DownloadContent with a "Command" document type requires the instance to have the IAM policies/roles attached that can read the bucket. Is there a way to do this without having the iam policy on each instance being modified/have access to the bucket?

I need to produce a report showing which AWS Console users have been added, modified or removed during the past year. Is this possible? The report was requested by an auditor.

Hi, I followed the wizard to create an ECS/fargate cluster and a basic step function state machine. I was able to run the state machine once (after working through a few permissions issues), though the container exited. I updated the task definition (specifically, all I changed was the container's entrypoint and command), and I'm now encountering a new IAM issue despite not (to my knowledge) changing anything related to the state machine or cluster's roles. ``` Error ECS.AccessDeniedException Cause User: arn:aws:sts::****:assumed-role/StepFunctions-hello-role-****/**** is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:us-west-2:****:task-definition/hello-task:2 because no identity-based policy allows the ecs:RunTask action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Proxy: null) ``` Is there a particular resource that needs to have this role/policy assigned that I'm missing? I don't know how to set or access permissions for "assumed roles" before or after the state machine runs. Thanks!

someone is able to access lightsail instances using a non-existent username how to resolve this problem? (the username used is "admin-d" ?) I was able to check it through cloudtrail logs. This user name doesn't exist in the aws iam users and I am concerned that there might be leaks within my account. How to resolve any security lapses within my account.

I am getting an exception when Deploying a cloud formation template regarding Requires capabilities : [CAPABILITY_IAM]. I have done some research and found out that when using IAM resources in the template we have to explicitly tell AWS that we are aware of IAM resources in the template. I have done that. Below is my command $ ./update.sh ScalableAppCore AppServers.yml AppParameterCore.json --capabilities CAPABILITY_IAM $ ./update.sh ScalableAppCore AppServers.yml AppParameterCore.json --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM $ ./create.sh ScalableAppCore AppServers.yml AppParameterCore.json --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND Tried all 3 commands but still, the output shows: An error occurred (InsufficientCapabilitiesException) when calling the UpdateStack operation: Requires capabilities : [CAPABILITY_IAM] Here is the actual code : This is the Role I have created for S3 ``` IamS3Role: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - 'sts:AssumeRole' Path: / ``` Instance Profile attachment ``` ProfileWithRolesForApp: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref IamS3Role ``` Please let me know where I am wrong . Thanks in advance

Hi, Today - without any specific operation which I have made - I got the following error when accessing to the S3 Console at: https://s3.console.aws.amazon.com/ > Thanks for signing up with Amazon Web Services. Your services may take up to 24 hours to fully activate. If you’re unable to access AWS services after that time, here are a few things you can do to expedite the process: > Make sure you provided all necessary information during signup. Complete your AWS registration. Check your email to see if you have received any requests for additional information. If you have, please respond to those emails with the information requested. > Verify your credit card information is correct. Also, check your credit card activity to see if there’s a $1 authorization (this is not a charge). You may need to contact your card issuer to approve the authorization. If the problem persists, please contact Support: Furthermore when trying to accessing to any S3 buckets which belong to the same organisation and they were public (Static web sites) we got: > 403 Forbidden >Code: AllAccessDisabled >Message: All access to this object has been disabled >RequestId: 4AWKPXHEKK4R23B4 >HostId: yP4BnTua4EXv2MjpPpSZip2gIrifx2xZ7ckCkMNGKjFjujJzuMMQUlgKxQi9GXMPEGdjnPrR6G0= At the moment I cannot see the S3 console, and all the public websites inside that S3 static folder are under 403 Forbidden error. Do you have any advice of what could have been done. Thanks

I am working through the Security Learning Plan and was recently watching the video about AWS Secrets Manager. The real question that concerns me is why using AWS Secrets Manager is better than say, store encrypted credentials in a config file. I know that there are a couple of aspects where Secrets Manager is obviously a lot better than a config file (credential rotation, central point of maintenance of credentials) but these don't answer my question. To clarify, let me give you an example. Let's say I have an EC2 instance running Tomcat and Tomcat needs credentials to connect to a DB. I store the creds in Secrets Manager and use the Java API to let Tomcat retrieve them. I guess (I didn't try it out yet) I need to grant the required permissions to the EC2 instance by assigning it an IAM role with appropriate permissions (maybe this assumption is incorrect, if so, how would I do it instead?). And now come my questions: 1. How does Secrets Manager know the credential request is legimitate? 2. How will the HTTP Query Tomcat sends authenticate against Secrets Manager? 3. Will Secrets Manager see that a Java process is querying or will it only see a request coming from instance i-something? 4. If the answer of 3 is "Secrets Manager sees only the instance querying" then how can I prevent another process on the same box querying the DB creds? If I chose the solution with the config file one of the major security drawbacks is that any intruder on the box can read the files, reverse the code the encrypts the creds and decrypt them. I would like to know if Secrets Manager provides a good solution for this fundamental problem. I didn't find any posts discussing this in the required detail (e.g. [https://repost.aws/questions/QUAsOpdhR-QAKVZEL0nRGTkw/aws-secrets-manager-with-boto-3-in-python](https://repost.aws/questions/QUAsOpdhR-QAKVZEL0nRGTkw/aws-secrets-manager-with-boto-3-in-python)). I hope I explained the problem well enough. Thanks for every answer.

We have created a lambda@edge function (nodejs 14 with default aws sdk) that retrieves an object from an S3 Object Lambda accesspoint. Most of the time everything works correctly, but from one moment to the other the lambda@edge function fails the call to S3 with an "InvalidSignature" error. We create the S3 client once during the lambda@edge during the startup of the lambda@edge function and only do an s3.getObject call to the S3 Object Lambda accesspoint and return the results. Any idea what could be the cause?

The context is enabling authenticated and authorized access to Kubernetes Dashboard in an AWS EKS instance via an AWS ALB configured with OIDC authenticate. The Kubernetes Dashboard is being protected by an AWS ELBv2 load balancer. It is created and configured by Ingress resource and the ALB Controller v2 (v2.2.3). This works. FWIW: We are Azure AD as the IdP. We are also using the OIDC Provider configuration on the Kubernetes (EKS) API. We are successfully using OIDC authenticated access from kubectl to access the API and apply RBAC. We are using ClusterRoleBinding to test with Cluster Admin users. Authentication works. However, the Kubernetes Dashboard still presents its internal token challenge page, because it does not get the Access Token, because the ALB removed it and put it in the ```X-AMZN-OIDC-*``` header. We had some success with: ``` alb.ingress.kubernetes.io/configuration-snippet: auth_request_set $token $upstream_http_authorization; proxy_set_header Authorization $token; proxy_pass_header Authorization; ``` Is this the best way to do this? Is there a better way to configure the ALB to attach the Access Token it obtained from the IdP's token endpoint as an ```Authorization: Bearer <token>```, rather than in a separate header?

Hello, I need to control access to my REST API Gateway in the following manner: - When called from my own web app (SPA hosted on S3/CloudFront at a specific Route53 domain) it should go through only after validating the calling user in terms of authentication and authorization through an OAuth2 JWT token. - When a 3rd party calls (any other domain/machine) the above should also happen, but only after validating that a specific API Token has been issued to the caller. What technologies should I be using to achieve the above please?

Hi all, Newbie just getting started with rest api and S3... Q: Is it possible to presign an entire bucket / or folder rather than just one object? Goal : to sign into a whole bucket for a period of time (ex: one day) and then use the same signature to access varied content inside the bucket with the same signature until it expires? https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html

Hi all, I am a newbie getting started with AWS S3 buckets I created a bucket: test1 (public) I have created a bucket: test2 (block public access) I created a policy and test user for test2 bucket Using postman app : I was able to do a simple get for public bucket like: http://s3.myregion.amazonaws.com/test1/TESTPIC.png Now I am trying to do a get with my test2 bucket with (block public access) now I get : <Code>AccessDenied</Code> <Message>Access Denied</Message> So somehow I need to send some credentials with postman to AWS to allow access. Any idea how to do this?

**Transfer data from RDS MySQL to S3 bucket ** I set up a data pipeline to transfer data from RDS Mysql to S3 Bucket, where before thet I set up the RDS mysql database with username and password. (IAM authentication enabled) It seems that EC2 that lunched by data pipeline can not access the database. error message : ( Access denied for user 'admin'@'172.31.89.157' (using password: YES) ) Noting that I tried to create new user with awsauthentication plugin, and used the master password, but that is not working, it give the same error. Can you advise guys! Thanks for your answers in advance!

I want view details of IAM Role to how many instances it is attached to with Cloudshell, cli which commands should use give example. lets assume I have IAM Role TestRole I want to know to how ec2 instances TestRole is attached to.

Dear Team, I have a bucket named my-bucket and it has a users folder. There are 5 individual user-name folder inside users folder. I want to make sure each user gets to see his/her own folder but can not see other user folders(I can restrict access to the content of the folder but want that one user should not see other users folder as well). Is it possible ? Ex. Below is the folder structure i have : my-bucket users UserA UserB UserC UserD UserE when UserE logs in, he/she should not see UserD folder in S3. I am able to restrict the content view of UserD folder but UserE still sees userD folder and then on click of UserD folder, he gets access denied error. Please let me know if i can restrict UserE from seeing any other users folders if he clicks on users folder Thanks, Dhaval Mehta

Looking to know what the process/scope of an AWS support agent is in responding to support requests. If I delegate access to a user so they can utilise AWS support services, am I creating a pathway for that user to make changes to the AWS account via a support request that is beyond that user's authority?

Hello! I'm trying to migrate a QuickSight dashboard from one account to another, working out of [this article](https://aws.amazon.com/blogs/big-data/biops-amazon-quicksight-object-migration-and-version-control/). It gathers the details of each dataset, including the Physical Table Definition and Logical Table Definition. Once it has these, it modifies the dataset definition to point to the new data source, and then runs [create_data_set()](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/quicksight.html#QuickSight.Client.create_data_set) to replicate the dataset in the new account. When I run create_data_set() it works for 70% of our datasets. But for a few, it returns this error: `An error occurred (AccessDeniedException) when calling the CreateDataSet operation: User: arn:aws:iam::12345678910:user/my_user is not authorized to access this resource` I can't find the reason why it fails for some datasets and works for others. I also can't figure out what resource I'm being denied access to - it's trying to create a dataset, so what resource is it being denied? For the record, my user has AdministratorAccess. I would greatly appreciate any information about what permissions are needed to run create_data_set(), and what resources are being accessed, or anything else that could help me figure out what is going on with this error. Thank you!

I have tried Authy - both on my phone and the desktop app - and I have also tried Microsoft Authenticator. Each time I scan the QR code and provide the 6 digit code I receive "Invalid MFA Code"

Hello there, I have a function with permissions to another resource. This resource permission is no longer needed. But I cannot delete the permissions from the lambda function. The CLI always says that At least on category must be selected. ? Which setting do you want to update? Resource access permissions ? Select the categories you want this function to have access to. ◯ auth ◯ function ❯◯ storage ◯ api ◯ hosting >> You must select at least one category The version of the CLI is 7.6.2 Is there a way to remove all permissions from a lambda via the Amplify CLI?

Hi, Im trying to create "revoke" session policy for iam user using command `aws iam create-policy --policy-name "revoke-session" --policy-document JSON.json` And the content of the `JSON.json` is ``` { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": {"DateLessThan": {"aws:TokenIssueTime": "2022-03-23T15:30:00Z"}} } } ``` But if i run the command it says `An error occurred (MalformedPolicyDocument) when calling the CreatePolicy operation: Syntax errors in policy.` **If i create exact same policy trough AWS console everything works!** So, im confused, what can be wrong?

I have created an IAM User with login profile (Password) using Python SDK (Boto3). The user creation was success. When trying to delete the Login Profile of the IAM User, I'm getting the below error : > An error occurred (EntityTemporarilyUnmodifiable) when calling the DeleteLoginProfile operation: Login Profile for User XXXXXX cannot be modified while login profile is being created. After i wait for few minutes and then run the code again, the code works. This issue started from few days ago and now it has became a frequent error. Any problems with IAM ?