Questions tagged with AWS Identity and Access Management

I am developing an application using Amazon Cognito User Pools and Identity Pools. My application uses: * the Cognito Hosted UI and authorization code grant to get an authorization code * a POST request to a standard `oauth2/token` endpoint to exchange the authorization code for an `id_token`, `access_token`, and `refresh_token` * the AWS SDK for JavaScript V3 `fromCognitoIdentityPool` method to exchange an `id_token` for temporary AWS credentials (which are used to allow users to access various AWS services) My question relates to the expiration and refresh of these temporary AWS credentials. The IAM user guide says [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html): > You must make sure that you get a new set of credentials before the old ones expire. In some SDKs, you can use a provider that manages the process of refreshing credentials for you; check the documentation for the SDK you're using. I am using the AWS SDK for JavaScript V3. I have searched through these resources without finding any reference to whether or not the SDK handles refreshing of temporary credentials: 1. [The API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html) 2. [The Developer Guide](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/welcome.html) 3. [Various code files from the repository](https://github.com/aws/aws-sdk-js-v3) I did find one tangential, ambiguous reference to credential expiration and refreshing on the page ["Using Amazon Cognito Identity to authenticate users"](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/loading-browser-credentials-cognito.html) in the section named ***Switch to Authenticated User***. I think adding a section to this page about the details of temporary credentials refresh would be extremely helpful to developers. **Does the AWS SDK for JavaScript V3 handle refresh of expired temporary credentials? Where is this described in the documentation for the SDK?** If yes: * Does the SDK handle the exchange of a `refresh_token` for an `id_token` and then exchange of an `id_token` for expired temporary credentials? * Or does the SDK require developers to write application code that exchanges a `refresh_token` for an `id_token`? (Meaning the SDK would just handle exchanging an `id_token` for expired temporary credentials)lg...

Hi, I have been charged for almost 2400€ for AWS SageMaker that i didn't use or had activated in my account. I use a password with a combination of Letters, Numbers and special characters and also use MFA authentication to my AWS account . Checking the Event History without any login from my side or using my credentials i see all the following events done in my account : | Event name| | --- | | Data |GetRole ListPolicies AttachRolePolicy CreatePolicy CreateRole CreateEndpoint CreateEndpointConfig CreateModel DescribeRepositories GetAuthorizationToken CreateRepository ListEndpoints GetServiceQuota On those events are the creation and activation of the SageMaker , how can it be possible to someone activate roles\services or anything on a "secure" account without the user login credentials and MFA authentication code !!! I've followed all the steps that AWS support had sent to remove all the active services that i didn't activate, also i have a ticket open for 14 days to be refunded for the value that was charged to my card, talked several times in the support chat and the answer is that "I've checked in with the service team and there's no update as yet" ... How can we trust and be safe if is possible to activate services on our account without our credentials and MFA authentication code ????lg...

I'm trying to restrict the S3 bucket used for **StackSet** templates with the IAM condition **cloudformation:TemplateUrl**, but it's does not work as expected: the IAM Policy applied always deny the CreateStackSet. See below the tested policy. The [doc page](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions) explains that you can use the condition as usual, but there is a Note that is not clear for me:  For allowed CreateStackSet calls, the CloudTrail event included the TemplateUrl in the context, so I don't understand why the condition does not work with Stack Set. Thank for your help! ``` { "eventVersion": "1.08", [...] "eventTime": "2022-08-09T15:42:50Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "CreateStackSet", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "stackSetName": "test-deny1", "templateURL": "https://s3.amazonaws.com/trusted-bucket/EnableAWSCloudtrail.yml", "description": "Enable AWS CloudTrail. This template creates a CloudTrail trail, an Amazon S3 bucket where logs are published, and an Amazon SNS topic where notifications are sent.", "clientRequestToken": "1bd60a6d-f9dc-76a9-020a-f5a45f1bdf1e", "capabilities": [ "CAPABILITY_IAM" ] }, "responseElements": { "stackSetId": "test-deny1:97054f39-3925-47eb-92fd-09779f32bcf6" }, [...] } ``` For reference my IAM Policy: ``` { "Sid": "TemplateFromTrustedBucket", "Effect": "Allow", "Action": [ "cloudformation:CreateStackSet", "cloudformation:UpdateStackSet" ], "Resource": "*", "Condition": { "StringLike": { "cloudformation:TemplateURL": [ "https://s3.amazonaws.com/trusted-bucket/*" ] } } } ```lg...

In the IAM console I see the message: ``` Deactivate or delete access keys for root user Deactivate or delete the access keys for the root user. Instead, use access keys attached to an IAM user to improve security. ``` I'm concerned that if I do this I'll be unable to log into my account.lg...

Trying to give a IAM user access to AppSync. I have set the following policies to this IAM user: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "amplify:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "amplifybackend:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "appsync:*", "Resource": "*" } ] } ``` Each is its own policy because I used the visual editor to create the policies. And yet when my IAM user tries to open AppSync there is a "Network error" message and inspecting the console I seem to be getting a bunch of 403s from the API requests. What's the correct policy to give full access to the AppSync console?lg...

Hello There, my question is: How do I replace the root (default) keypair for my ec2 instance, in my ec2 dashboard? I know how to add (delete) public ssh keys in the .ssh/authorized_keys file on the machine (linux), but I want to **completely** replace my root keypair, ALSO in my ec2 dashboard. Goal is, to make it impossible to login with the old root keypair onto the machine (neither from ssh client nore ec2 instance connect), and only with the new one. I found it impossible to replace my ec2 root keypair in my ec2 dashboard; and even if I delete its public ssh key in the authorized_keys file, I am still able to connect ... If not with ssh cient, so at least with ec2 instance connect, which clearly uses the old root keypair. Seems to me, as if the default keypair is binned to the ec2 instance. So, there must be a solution to this. Otherwise it means that you **cannot** replace the default root keypair for your ec2 instance. Thanks for an answer. Andylg...

Could you please confirm that AWS Lake Formation federated access is eligible for any IDP ( SAML 2.0 based ) ? IHAC need to query Dataset from Qlik Sense via Athena ( with LakeFormation Permission access ) , Qlik is federated, is it possible to use the AWS Lake Formation Federated access from Qlik ? Tx for your supportlg...

I struggled a bit getting IAM Roles to work with a CA I created with openssl and also to deploy all resources with CDK (or cloudformation) After I figured out everything I wrote this blog, I hope someone will find it useful: check it out: https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be The CDK example uses escape hatches (so CfnResources), so they could easily be used to do CloudFormationlg...

Hi AWS, I was learning about App2Container service using this AWS Workshop https://catalog.us-east-1.prod.workshops.aws/workshops/2c1e5f50-0ebe-4c02-a957-8a71ba1e8c89/en-US and while deploying the infrastructure using CloudFormation template as provided in Step 1, I am experiencing the issue. ``` Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for application-migration-with-aws-workshop/lambda/4eb5dfa8efc17763bc41edb070cb9cd2. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: Lambda, Status Code: 403, Request ID: 95687072-37e7-4670-b715-7a0e5bdefd92)" (RequestToken: 09b159a9-c86b-72ef-5d6e-c18bbed29004, HandlerErrorCode: AccessDenied) ``` After that I have updated the IAM user permission with the following S3 API and here is the code for the same: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::application-migration-with-aws-workshop", "arn:aws:s3:::application-migration-with-aws-workshop/lambda/4eb5dfa8efc17763bc41edb070cb9cd2", "arn:aws:s3:::application-migration-with-aws-workshop/lambda/438e5a43749a18ff0f4c7a7d0363e695" ] } ] } ``` Please tell me what's the reason behind the failure. I know this is Amazon owned bucket. So what's missing either from permissions point of view. Thankslg...

A developer on our team is trying to view AWS CloudFront caching stats (https://console.aws.amazon.com/cloudfront/v3/home?#/popular_urls and https://console.aws.amazon.com/cloudfront/v3/home?#/cache) and is getting IAM permissions errors saying that he doesn't have cloudfront:GetPopularURLs and cloudfront:ListCacheStatsDataPointSeries permissions. I'm trying to give him access, but these IAM permissions don't exist in the IAM UI (see screenshots below). How can that be? lg...

Hi, one of our IAM users, started getting MFA Code entry screens on login, although no MFA device is configured in IAM/users/Security Credentials/Assigned MFA device. What else do I need to check?lg...

I am doing this command from my cloud9 environment. I am logged in as owner of the cloud9 environment. I am using aws-cli/2.7.20 ``` ec2-user:~/environment $ aws cloud9 update-environment --environment-id $C9_PID --managed-credentials-action DISABLE An error occurred (AccessDeniedException) when calling the UpdateEnvironment operation: arn:aws:sts::233287386565:assumed-role/cst438-cloud9-containers-role/i-02aef2188aaf75d2e isn't allowed to manage credentials because they're not the environment owner ``` But I am the environment owner. After receiving this error I do ``` aws cloud9 describe-environments --environment-id 18f34fb0bdd8451ba008fe7ac2c74093 { "environments": [ { "id": "18f34fb0bdd8451ba008fe7ac2c74093", "name": "cst438", "description": "", "type": "ec2", "connectionType": "CONNECT_SSH", "arn": "arn:aws:cloud9:us-west-2:233287386565:environment:18f34fb0bdd8451ba008fe7ac2c74093", "ownerArn": "arn:aws:iam::233287386565:root", "lifecycle": { "status": "CREATED" }, "managedCredentialsStatus": "DISABLED_BY_OWNER" } ] } ``` which shows the command did successfully disable the managed credentials status. So why the exception message? Davidlg...