Questions tagged with IAM Policies

HI, Anyone faced this problem while learning AWS Terraform ? I am following the Book to practice the Terraform I am getting below error. url: (7) Failed to connect to <<<removed Public IP Address of EC2 >> port 8080 after 49 ms: Couldn't connect to server Please advise if there is any recent upgrade ? My Code is below provider "aws" { region="us-east-2" } resource "aws_security_group" "instance" { name="terraform-example-instance" ingress { from_port=8080 to_port=8080 protocol="tcp" cidr_blocks=["0.0.0.0/0"] } } resource "aws_instance" "example" { ami="ami-0a695f0d95cefc163" instance_type="t2.micro" vpc_security_group_ids=[aws_security_group.instance.id] user_data=<<-EOF #!/bin/bash echo "Hello, World" > index.html nohup busybox httpd -f -p 8080 & EOF tags={ "Name" = "terraform-example" } }lg...

Hello there AWS team! I'm currently working with the ESP32 platform to create a device that connects to AWS and sends/receives data. The idea is that I will have multiple ESP32 devices. At this moment what I'm doing is that I create a Thing per each device. So, if I have 3 devices, I need to create 3 Things, with their respective certificate and key. JITP helped me but I noticed each firmware will be different for each device. For example, device 1 will have firmware 1 with certificate 1 and key 1. The same thing will happen for devices 2, 3, and so on. I'm doing OTA with these devices and since every firmware needs to be different due to the certificates, keys, and thingname... I'm facing an unscalable wall. Is there any option that helps with this? The only option I can think of right now is to use 1 Thing in AWS IoT Core, and all my devices in the field will have the same certificate and key. I feel that is not a good practice, but the other option seems way worse. Thanks a lot in advancelg...

Hello, required: Enable s3 bucket access for a specific permission set 1.I have an SSO role in IAM for Billing. This is an AWS managed SSO Role and gives access to Billing Actions in its policy. AWSReservedSSO_BillingReadOnly_tagnumber. 2.Have an IAM Identity Center Group, AWS-acctnum-BillingReaders-Prod, that has 4 SSO users. 3. The above group has been assigned to permission sets below, user is able to see the permission sets on his login page, under the account. 4. Also Have a permission set(BillingReadOnly) that has the AWS managed Billing policy- AWSBillingReadOnlyAccess and also an inline policy that allows access to s3 bucket, (ListBucket, GetObject) The SSO user who is part of group 2, sees this permission set on his login screen. But he does not see any buckets listed on s3. Note, anything that is AWS managed, cannot be altered, hence the addition of custom inline policy on the permission set. Any idea what's wrong here? Thanks in advance.lg...

`{ "Version": "2012-10-17", "Id": "PersonalizeS3BucketAccessPolicy", "Statement": [ { "Sid": "PersonalizeS3BucketAccessPolicy", "Effect": "Allow", "Principal": { "Service": "personalize.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::fashionrecommendationsystem", "arn:aws:s3:::fashionrecommendationsystem/*" ] } ] } ` This is the bucket policy I have attached to my S3 bucket. lg...

Template format error: Unresolved resource dependencies [VpcFlowLogBucket] in the Resources block of the template I am getting the above error in my cloudformation template when i use conditions while creating resources. I have a usecase where if user enters a specific parameter then i will apply a particular condition to avoid creating an s3 bucket and use the one that user has given the arn to. ``` AWSTemplateFormatVersion: "2010-09-09" Description: CloudFormation stack for relaying AWS VPC flow logs for security analysis and storage. Outputs: StackName: Description: The name of the stack deployed by this CloudFormation template. Value: !Ref "AWS::StackName" Parameters: VpcIds: Description: The IDs of the VPCs for which flow logs will be relayed. VPC Flow Logs will be enabled for these VPCs. Type: List<AWS::EC2::VPC::Id> VpcFlowLogBucketArn: Type: String Description: (Optional) The ARN of an existing S3 bucket to use for VPC flow logs. If specified, VpcFlowLogDestination will be ignored. TrafficType: AllowedValues: - ACCEPT - REJECT - ALL Default: ALL Description: Whether to log only rejected or accepted traffic, or log all traffic. Logging all traffic (default) enables more security outcomes. Type: String OrgId: Description: Your account number. Type: Number RetentionInDays: Description: The number of days to retain AWS VPC Flow Logs in the S3 bucket. This is effectively the size of your recovery window if the flow of logs is interrupted. Type: Number Default: 3 Conditions: HasExpirationInDays: !Not [!Equals [!Ref RetentionInDays, 0]] UseExistingS3Bucket: !Equals [!Ref VpcFlowLogBucketArn, ""] Resources: VpcFlowLogBucket: Type: "AWS::S3::Bucket" Condition: UseExistingS3Bucket Properties: BucketName: !Join - "-" - - aarmo-vpc-flow-bucket - !Ref OrgId - !Ref "AWS::StackName" - !Ref "AWS::Region" LifecycleConfiguration: Rules: - ExpirationInDays: !If [HasExpirationInDays, !Ref RetentionInDays, 1] Status: !If [HasExpirationInDays, Enabled, Disabled] NotificationConfiguration: QueueConfigurations: - Event: "s3:ObjectCreated:*" Queue: !GetAtt [MyQueue, Arn] DependsOn: - MyQueue VpcFlowLogBucketPolicy: Type: "AWS::S3::BucketPolicy" Condition: UseExistingS3Bucket DependsOn: - VpcFlowLogBucket Properties: Bucket: !Ref VpcFlowLogBucket PolicyDocument: Version: "2012-10-17" Statement: # https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions - Sid: AWSLogDeliveryWrite Effect: Allow Principal: Service: "delivery.logs.amazonaws.com" Action: "s3:PutObject" Resource: !Sub "${VpcFlowLogBucket.Arn}/AWSLogs/${AWS::AccountId}/*" Condition: StringEquals: "s3:x-amz-acl": "bucket-owner-full-control" - Sid: AWSLogDeliveryAclCheck Effect: Allow Principal: Service: "delivery.logs.amazonaws.com" Action: "s3:GetBucketAcl" Resource: !GetAtt "VpcFlowLogBucket.Arn" MyQueue: Type: AWS::SQS::Queue Properties: QueueName: "SampleQueue12345128" MyQueuePolicy: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Statement: - Effect: Allow Principal: Service: sns.amazonaws.com Action: - sqs:SendMessage - sqs:DeleteMessage - sqs:RecieveMessage Resource: "*" Queues: - Ref: MyQueue ``` What is the issue with the above cloudformation template? I have tried debugging the template multiple times but still getting nowhere. any help would be greatly appretiated!lg...

I have the IAM role and policy setup per https://eksctl.io/usage/minimum-iam-policies/. When I create the cluster all the CF stacks complete with no errors at all. But I am getting this on the screen. The acutal error is at the very bottom. ``` 2023-03-30 11:51:22 [▶] completed task: create IAM role for serviceaccount "kube-system/aws-node" 2023-03-30 11:51:22 [▶] started task: create serviceaccount "kube-system/aws-node" 2023-03-30 11:51:22 [ℹ] waiting for CloudFormation stack "eksctl-tmdev-us1-pipe-prod-addon-iamserviceaccount-kube-system-AS-cluster-autoscaler" 2023-03-30 11:51:52 [▶] failed task: create serviceaccount "kube-system/aws-node" (will not run other sequential tasks) 2023-03-30 11:51:52 [▶] failed task: 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system/aws-node", create serviceaccount "kube-system/aws-node", } (will continue until other parallel tasks are completed) 2023-03-30 11:51:52 [▶] failed task: 4 parallel sub-tasks: { 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system-LB/aws-lb-controller", create serviceaccount "kube-system-LB/aws-lb-controller", }, 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system-DNS/external-dns", create serviceaccount "kube-system-DNS/external-dns", }, create IAM role for serviceaccount "kube-system-AS/cluster-autoscaler", 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system/aws-node", create serviceaccount "kube-system/aws-node", }, } (will not run other sequential tasks) 2023-03-30 11:51:52 [▶] failed task: 2 sequential sub-tasks: { 4 sequential sub-tasks: { wait for control plane to become ready, associate IAM OIDC provider, 4 parallel sub-tasks: { 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system-LB/aws-lb-controller", create serviceaccount "kube-system-LB/aws-lb-controller", }, 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system-DNS/external-dns", create serviceaccount "kube-system-DNS/external-dns", }, create IAM role for serviceaccount "kube-system-AS/cluster-autoscaler", 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system/aws-node", create serviceaccount "kube-system/aws-node", }, }, restart daemonset "kube-system/aws-node", }, create managed nodegroup "jenkins-pipeline-nodegroup", } (will not run other sequential tasks) 2023-03-30 11:51:52 [!] 1 error(s) occurred and cluster hasn't been created properly, you may wish to check CloudFormation console 2023-03-30 11:51:52 [ℹ] to cleanup resources, run 'eksctl delete cluster --region=us-east-1 --name=tmdev-us1-pipe-prod' 2023-03-30 11:51:52 [✖] failed to create service account kube-system/aws-node: checking whether namespace "kube-system" exists: Get "https://XXXXXXXXXXB2A140B1DB492834D6A69A.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system": dial tcp 172.11.111.111:443: i/o timeout Error: failed to create cluster "tmdev-us1-pipe-prod" ``` When I go to EKS in the AWS Console and click on this cluster I do see a strange error at the top. Not sure if its related or not. ``` Error loading GenericResourceCollection/namespaces ```lg...

My client is not able to access ALB URL, but I am able to access the same. ALB URL's security group has "All Traffic" rule in both inbound and outbound rules. Also my EC2 instance is windows and I have deactivated its firewall to not block any incoming IP addresses. How to solve this issue.lg...

Hi Guys, I deployed my java app on EC2 and here I am doing call to Amazon Cognito in order to push user data. So I am getting below error, `Profile file contained no credentials for profile 'default': ProfileFile(profiles=[])". When you are trying the same on your local machine its working fine` My understanding was If I gave IAM role(CognitoSuperUser) which has permission for Cognito to Ec2, I don't have to put credentials in EC2 profile file. Am I wrong? will not EC2 be able to allow calling to Cognito without any configuration? Like I do call to S3 from Ec2 by allowing permission in the IAM role that assigned Ec2. This is the way I create client to call. is there any other way to make call instead of **ProfileCredentialsProvider** ``` this.cognitoClient = CognitoIdentityProviderClient.builder() .region(Region.US_EAST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); ``` Thankslg...

I am trying to create and EC2 instance and in Network settings I am supposed to pick the default VPC selection but there no VPC onthe drop down, it was blank. I decided to create a default VPC but now I also have no subnet in the dropdown but cannot create one. How do I rectify this?lg...

I want create a architecture, inside to Learner Lab, but I don't know what police use, because inside of Learned Lab, I can't create role. I'm try do this my thing(temperature) send a message to IoT core and save IoT data inside to dynamoDB if temperature > 30 send a message from iot to snslg...

It show this error "ValidationException: The assume role is invalid" while creating Association with the document "AWSEC2-PatchLoadBalancerInstance". It say to use "AWSServiceRoleForAmazonSSM" but it can be added as the association role lg...

I created EKS resources via Terraform. I now want to get temporary credentials for a new role (new_dev has eks:DescribeCluster permission). It throws below error, user xxxxx has AdminitratorAccess policy. Should I add an assume role policy to the user xxxxx? aws sts assume-role --role-arn arn:aws:iam::---:role/new_dev --role-session-name dev An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::---:user/xxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::---:role/new_devlg...