By using AWS re:Post, you agree to the Terms of Use
/AWS Management Console/

Questions tagged with AWS Management Console

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

What is the suggested method to track user's actions after assuming a cross-account role

I need to be able to guarantee that a user's actions can always be traced back to their account regardless of which role they have assumed in another account. What methods are required to guarantee this for? * Assuming a cross-account role in the console * Assuming a cross-account role via the cli I have run tests and can see that when a user assumes a role in the CLI, temporary credentials are generated. These credentials are seen in CloudTrail logs under responseElements.credentials for the assumeRole event. All future events generated by actions taken in the session include the accessKeyId and I can therefore track all of the actions in this case. Using the web console, the same assumeRole event is generated, also including an accessKeyId. Unfortunately, future actions taken by the user don't include the same accessKeyId. At some point a different access key is generated and the session makes use of this new key. I can't find any way to link the two and therefore am not sure of how to attribute actions taken by the role to the user that assumed the role. I can see that when assuming a role in the console, the user can't change the sts:sessionName and this is always set to their username. Is this the suggested method for tracking actions? Whilst this seems appropriate for roles within the same account, as usernames are not globally unique I am concerned about using this for cross account attribution. It seems placing restrictions on the value of sts:sourceIdentity is not supported when assuming roles in the web console.
0
answers
1
votes
29
views
asked 4 days ago

How do I transfer my AWS account to another person or business?

I am selling my site and need to transfer the AWS account to the buyer's business (the buyers do not use AWS for their other sites - but they want my site to continue with AWS). I cannot figure out how to do it. Do I need to pay for support and what level? This is Amazon's advice on transfering ownership of a site: https://aws.amazon.com/premiumsupport/knowledge-center/transfer-aws-account/ "To assign ownership of an AWS account and its resources to another party or business, contact AWS Support for help: Sign in to the AWS Management Console as the root user. Open the AWS Support Center. Choose Create case. Enter the details of your case: Choose Account and billing support. For Type, choose Account. For Category, choose Ownership Transfer. For all other fields, enter the details for your case. For Preferred contact language, choose your preferred language. For Contact methods, choose your preferred contact method. Choose Submit. AWS Support will contact you with next steps and help you transfer your account ownership." I have done all this but have not yet been contacted (24 hours). The text seems to suggest that advice on transfering ownership is a necessary aspect of transfering an AWS root account to a company, and that such advice is provided free by Amazon, since nothing is said about pricing. If on the other hand AWS clients must pay for a support package to transfer ownership, which package? The $29 Developer package or the $100 Business package or some other package? How quickly does Amazon AWS respond? How quick is the transfer process? I am finding this very frustrating.
1
answers
0
votes
16
views
asked 8 days ago

Role chaining problem

Hi, Im trying to achieve the "role chaining" as in the https://aws.plainenglish.io/aws-iam-role-chaining-df41b1101068 i have an user `admin-user-01` with policy assigned: ``` { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<accountid>:role/admin_group_role" } } ``` I have a role, which is meant for `admin-user-01`, with `role_name = admin_group_role` and trust policy = ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:user/admin-user-01" }, "Action": "sts:AssumeRole" } ] } ``` And it also has a policy: ``` { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<accountid>:role/test-role" } } ``` Then, i have another role, which is assigned for the role above (`admin_group_role`), with `role_name = test-role` and trust policy = ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:role/admin_group_role" }, "Action": "sts:AssumeRole" } ] } ``` But when i login as `admin-user-01` into account, then switch to the role `admin_group_role` and then try to switch to role `test-role` i get : `Invalid information in one or more fields. Check your information or contact your administrator.` P.S everywhere <accountid> is the same, all of the roles,users,permissions are created in the same account ( what, i suppose might be the reason why i face the error ) What am i doing wrongly?
2
answers
0
votes
6
views
asked a month ago

AWS CodeDeploy: STRING_VALUE can not be converted to an Integer

Using AWS CodePipeline and setting a Source, Build and passing `taskdef.json` and `appspec.yaml` as artifacts, the deployment action `Amazon ECS (Blue/Green)` will fail with the error: STRING_VALUE can not be converted to an Integer This error does not specify where this error happens and therefore it is not possible to fix. For reference, the files look like this: ```yaml # appspec.yaml version: 0.0 Resources: - TargetService: Type: AWS::ECS::Service Properties: TaskDefinition: <TASK_DEFINITION> LoadBalancerInfo: ContainerName: "my-project" ContainerPort: 3000 ``` ```json // taskdef.json { "family": "my-project-web", "taskRoleArn": "arn:aws:iam::1234567890:role/ecsTaskRole-role", "executionRoleArn": "arn:aws:iam::1234567890:role/ecsTaskExecutionRole-web", "networkMode": "awsvpc", "cpu": "256", "memory": "512", "containerDefinitions": [ { "name": "my-project", "memory": "512", "image": "01234567890.dkr.ecr.us-east-1.amazonaws.com/my-project:a09b7d81", "environment": [], "secrets": [ { "name": "APP_ENV", "valueFrom": "arn:aws:secretsmanager:us-east-1:1234567890:secret:web/my-project-NBcsLj:APP_ENV::" }, { "name": "PORT", "valueFrom": "arn:aws:secretsmanager:us-east-1:1234567890:secret:web/my-project-NBcsLj:PORT::" }, { "name": "APP_NAME", "valueFrom": "arn:aws:secretsmanager:us-east-1:1234567890:secret:web/my-project-NBcsLj:APP_NAME::" }, { "name": "LOG_CHANNEL", "valueFrom": "arn:aws:secretsmanager:us-east-1:1234567890:secret:web/my-project-NBcsLj:LOG_CHANNEL::" }, { "name": "APP_KEY", "valueFrom": "arn:aws:secretsmanager:us-east-1:1234567890:secret:web/my-project-NBcsLj:APP_KEY::" }, { "name": "APP_DEBUG", "valueFrom": "arn:aws:secretsmanager:us-east-1:1234567890:secret:web/my-project-NBcsLj:APP_DEBUG::" } ], "essential": true, "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "", "awslogs-region": "", "awslogs-stream-prefix": "" } }, "portMappings": [ { "hostPort": 3000, "protocol": "tcp", "containerPort": 3000 } ], "entryPoint": [ "web" ], "command": [] } ], "requiresCompatibilities": [ "FARGATE", "EC2" ], "tags": [ { "key": "project", "value": "my-project" } ] } ``` Any insights on this issue are highly appreciated!
2
answers
0
votes
7
views
asked 4 months ago

ECS - FSx FileSystemNotFound: File system does not exist

I have an ECS service which is of Launch Type EC2 owned by an AWS account A. Our IT team has created an FSx storage owned by an AWS Account B - [see simple diagram here](https://i.stack.imgur.com/MyU1d.png) When I try to launch tasks I get this error in the Stopped reason section of the task: ``` Stopped reason Fsx describing filesystem(s) from the service for [fs-0c52aba0aac20c744]: FileSystemNotFound: File system 'fs-0c52aba0aac20c744' does not exist. ``` I have attached those 2 policies to the EC2 (container host) instance: - AmazonFSxReadOnlyAccess (AWS Managed) - fsx_mount (Customer Managed) fsx_mount: ``` { "Statement": [ { "Action": [ "secretsmanager:GetSecretValue" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-west-2:111111111111:secret:dev/rushmore/ad-account-NKOkyh" }, { "Action": [ "fsx:*", "ds:DescribeDirectories" ], "Effect": "Allow", "Resource": "arn:aws:fsx:us-west-2:222222222222:file-system/fs-0c52aba0aac20c744" } ], "Version": "2012-10-17" } ``` **Note** that the account id of 222222222222 represents AWS Account B. Also, **VPC Peering is in place between the EC2 instance VPC and the FileSystem VPC**. Terraform aws_ecs_task_definition: ``` resource "aws_ecs_task_definition" "participants_task" { volume { name = "FSxStorage" fsx_windows_file_server_volume_configuration { file_system_id = "fs-0c52aba0aac20c744" root_directory = "\\data" authorization_config { credentials_parameter = aws_secretsmanager_secret_version.fsx_account_secret.arn domain = var.domain } } } ... } ``` I am not sure why ECS cannot find the FSx file system. Surely it must be because it is in another AWS account but I don't know what changes are required in order to fix this.
1
answers
0
votes
5
views
asked 4 months ago
1
answers
1
votes
8
views
asked 5 months ago
  • 1
  • 90 / page