Questions tagged with IAM Policies

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

How to deal with multiple duplicate keys (Fn::Sub) in a aws cloudformation template?

I have a policy that is being made in a cloudformation template. I want to add two resources to the policy, they end up being `arn::bucket` and `arn::bucket/*`. The issue is that the `arn` is a parameter and I get the error: `[cfn-lint] E0000: Duplicate resource found "Fn::Sub" (line 161)`. I understand that it doesn't like the duplicates. ``` "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "GetGEBucketPutCustomerBucket", "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectAttributes", "s3:GetObjectTagging", "s3:ListBucket", "s3:DeleteObject" ], "Effect": "Allow", "Resource": { "Fn::Sub": [ "${arn}/*", { "arn": { "Ref": "CustomerS3BucketARN" } } ], "Fn::Sub": [ "${arn}", { "arn": { "Ref": "CustomerS3BucketARN" } } ] } } ] }, "Roles": [ { "Ref": "InstanceRole" } ] }, "Metadata": { "AWS::CloudFormation::Designer": { "id": "a713fcc6-95c8-423f-a5b8-0020a81e5ce4" } } } ``` However, this cloudformation is allowed to run, but produces errors. When viewing the policy in IAM console window after create, I see that both of the resources were not created. ![IAM Console](/media/postImages/original/IM-C-6juMgR12vBi6kAOuH5Q) IAM policy editor gives me this error. `Ln 1, Col 0Missing Version: We recommend that you specify the Version element to help you with debugging permission issues.` since the resource than ends with `/*` wasn't created by cloud formation.
1
answers
0
votes
24
views
asked 4 days ago

Capturing Application logs to Central log account CloudWatch using CWAgent

Can you take a look at credentials section of config file? I am working on a configuration file to send logs to directly Cross account CloudWatch, there by to S3 to eliminate the maintanance of S3 buckets at each account level. I am following this documentation of AWS: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-common-scenarios.html#CloudWatch-Agent-send-to-different-AWS-account Normally without credentials section, logs were going to same account CloudWatch. But if I add credentials section and add related policies in the sender and receiver account, I couldn't see logs in receiver's CloudWatch. Config File: ``` { "agent": { "credentials": { "role_arn": "arn:aws:iam::512425977391:role/CWAgent-Receive-Role" }, "metrics_collection_interval": 60, "region": "us-east-1", "debug": false }, "logs": { "logs_collected": { "files": { "collect_list": [ { "file_path": "C:\\AppData\\*", "log_group_name": "Server-1", "log_stream_name": "{instance_id}", "retention_in_days": 7 } ] } } } } ``` IAM Policy at Sender Account is: Role Name: CWAgent-Send-Role ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::512425977391:role/CWAgent-Receive-Role" ] } ] } ``` IAM Policy at Receiver Account is:(Which is added to trust relationship) Role Name: CWAgent-Receive-Role ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::166355562301:role/CWAgent-Send-Role" }, "Action": "sts:AssumeRole" } ] } ```
0
answers
0
votes
9
views
asked 6 days ago