Questions tagged with IAM Policies

Hello, i'm trying to finish a lab, but got stuck at this one. "create a policy called all-users which covers the following: 1. Users can create/list all MFA devices (including virtual) and list MFA device tags. 2. Users can only enable/deactivate their own MFA devices. 3. Users can only delete their own virtual MFA device on the condition that they have enabled MFA. You'll need to use Policy variables such as ${aws:username}." now, trying to create this, but never able to figure out what exactly has to be done where I can't go to next step. could someone help figuring out what has to be done exactly? Thank youlg...

I'm using a personal account for this, so I'm accessing AWS as a root user. When I try to create a rule to be able to receive emails with my domain I receive an error in an alert bar saying "You do not have sufficient access to perform this action." I have already set up my domain DKIM and set the MX Records to my domain. I honestly have no idea what to do. Edit: It seems like the following request is returning a 403: https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/?MaxItems=100lg...

I am getting an error when attempting to use SAM BUILD to add code into a CloudFormation Template. Here is the message log from Cloud Trail. I verified that the user has AdministratorAccess as a permission set. Any help would be appreciated. { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "######", "arn": "arn:aws:iam::#####:user/XXXXX", "accountId": "#####", "accessKeyId": "######", "userName": "XXXXXX" }, "eventTime": "2023-03-22T17:26:19Z", "eventSource": "serverlessrepo.amazonaws.com", "eventName": "CreateCloudFormationTemplate", "awsRegion": "us-east-1", "sourceIPAddress": "######", "userAgent": "Boto3/1.26.95 Python/3.8.8 Windows/10 Botocore/1.29.95", "errorCode": "AccessDenied", "requestParameters": { "semanticVersion": "latest", "applicationId": "#######.dkr.ecr.us-east-1.amazonaws.com%2FBATCHJOB" }, "responseElements": { "Access-Control-Expose-Headers": "*,Amz-Sdk-Invocation-Id,Amz-Sdk-Request,Authorization,Content-Length,Content-Type,Date,Host,x-amz-content-sha256,X-Amz-Date,X-Amz-Security-Token,X-Amz-Target,x-amz-user-agent,x-amzn-platform-id,x-amzn-trace-id", "message": "User: arn:aws:iam::######:user/XXXXX is not authorized to perform: serverlessrepo:CreateCloudFormationTemplate on resource: ######.dkr.ecr.us-east-1.amazonaws.com/BATCHJOB" }, "requestID": "98fb4cc7-1907-4472-a161-67fc75492d81", "eventID": "f3688202-a889-42d1-ab56-82dfc7002cd4", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "######", "eventCategory": "Management" }lg...

Hi, we have the next code deployed on a Lambda: ``` async function getToken(hostname, port, username, region) { // Security relies on temporal IAM tokens instead of passwords + TLS encryption. const signer = new Signer({ hostname: hostname, port: port, username: username, region: region, }); return await signer.getAuthToken(); } export const databaseProviders = [ { provide: 'SEQUELIZE', useFactory: async () => { const hostname = process.env.DB_HOSTNAME; const port = Number(process.env.DB_PORT); const dbname = process.env.DB_NAME; const username = process.env.DB_USERNAME; const region = process.env.AWS_REGION; const token = await getToken(hostname, port, username, region); const sequelize = new Sequelize({ host: hostname, dialect: 'mysql', database: dbname, username: username, password: token, port: port, dialectOptions: { ssl: 'Amazon RDS', authPlugins: { mysql_clear_password: () => () => { return token; }, }, }, }); return sequelize; }, }, ]; ``` This always worked perfectly fine both locally and deployed on the cloud, but suddenly stopped working locally. By logging the token I found that, when invoked locally, the signer returns a temporal token WITHOUT X-Amz-Security-Token (when invoked on the cloud, X-Amz-Security-Token is present). Could it be some change in IAM deployed by AWS recently? Thanks in advance, Francolg...

Cloudfront automatically added these bucket policy rules, but now my IAM user + production IAM role can't access the bucket to perform head object operation. How do I modify this to allow for object access for my server? I also already tried using principle. It didn't work. The IAM user has full access to S3 ``` { "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "Server access", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ], "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:iam::1234567890:user/dev" } } }, { "Sid": "AllowCloudFrontServicePrincipal", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket-name/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::1234567890:distribution/asdf" } } } ] } ``` [![enter image description here][1]][1] [1]: https://i.stack.imgur.com/ox5E7.pnglg...

When I click button "Create Crawler" in AWS Glue service, I failed. But I set up generated IAM Role with permission policy "AdministratorAccess" for this subcribe account. Please help me solve this issue. Thank you so much. my error: Account xxxxxxxxxxxx denied accesslg...

Hi, We have been using SES for the past 4 years without any problem. Last Saturday 19 March 2023, I created a new set of SMTP credentials to configure email sending method in Region Asia Pacific (Mumbai). Encountered the below in Oracle Apex Mail Queue: ORA-29279: SMTP permanent error: 535 Authentication Credentials Invalid Upon searching and enquiring the reason, I found the policy attached - AmazonSesSendingAccess - has some Unrecognized actions . #### Copy of the text from the page Edit AmazonSesSendingAccess is below: Service **Pinpoint Email** Actions Unrecognized actions **IAM does not recognize one or more actions. The action name might include a typo or might be part of a previewed or custom service.** **SendRawEmail** Resources All resources Request conditions Specify request conditions (optional) Service **SES v2** Actions Unrecognized actions IAM does not recognize one or more actions. The action name might include a typo or might be part of a previewed or custom service. SendRawEmail Resources All resources Service **SES** Actions Write SendRawEmail Resources All resources Where am I going wrong? Or Is it a problem at AWS SES, yet to be fixed? Any help on this will be highly appreciated. Thank you all. Rajalg...

I get the following error when I add 3 lines to my policy `Value of property PolicyDocument must be an object ` (Lines with #JustAdd) If I remove those 3 lines it works great whats wrong ? ``` Policies: - PolicyName: !Sub 'X-${AWS::Region}' PolicyDocument: - Effect: Allow Action: 'ssm:GetParametersByPath' Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/X' - Effect: Allow Action: 'ssm:GetParameters' Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/X/*' - Effect: Allow Action: 's3:*' Resource: '*' - Effect: Allow Action: - secretsmanager:GetSecretValue Resource: - !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:C*' - Effect: Allow Action: - 'ec2:DescribeNetworkInterfaces' - 'ec2:CreateNetworkInterface' - 'ec2:DeleteNetworkInterface' - 'ec2:DescribeInstances' - 'ec2:AttachNetworkInterface' Resource: '*' - Effect: Allow Action: 'kms:Decrypt' Resource: '*' - Effect: Allow #JustAdded Action: sqs:* #JustAdded Resource: 'arn:aws:sqs:us-east-1:000000000000:Q.fifo' #JustAdded RoleName: !Sub 'X-${AWS::Region}' ```lg...

I'm following this tutorial: https://docs.aws.amazon.com/datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.html#s3-s3-cross-account-create-datasync-destincation The steps have been completed accurately through step 3. When attempting step 4, I get the error ``` An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: DataSync location access test failed: could not perform s3:HeadBucket on bucket name-of-my-bucket. Access denied. Ensure bucket access role has s3:ListBucket permission. ``` I've ensured the bucket access role has the s3:ListBucket permission, and I don't know what to do next.lg...

Hello I'm kinda new in AWS I read a lot and I can't figure out what's going on. when I try to use the lexv2 ```json { "message": "Credential should be scoped to correct service: 'lex'. " } ``` I did the following: 1. Create a CLI aws account (**test** user) 2. I added the permissions: **AmazonLexReadOnly** and **AmazonLexRunBotsOnly** I even added another that I read in another website ( I Created a new policy) with this json: ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lex:GetSession", "lex:RecognizeText", "lex:PutSession", "lex:DeleteSession", "lex:StartConversation", "lex:RecognizeUtterance" ], "Resource": "*" } ] } ``` 3. I created an access api key/secret key 4. Added to postman as AWS identification and hitting this url `https://runtime-v2-lex.us-east-1.amazonaws.com/bots/KVI5WI1AAA/botAliases/UZA1JMDAAA/botLocales/en_US/sessions/random/text` (the last letters I replaced with **AAA** just to hide the complete url and check if is the name or the ID) I got the botId from lex website, the alias I think is the correct (same from lex but I'm not sure if is the name or this ID), the (access key 1 is the one I'm using, and says **Access key last usedNever**  I can't figure out what's wrong, I tried to read a lot of tutorials but I have no luck. How I can setup this correctly?lg...

I have recently used a 100% AWS associate voucher to book an exam schedule on VUE. However, I would like to cancel this schedule to take back the voucher and apply the voucher to my friend's account. Is this possible? If so, what are the steps I need to follow? I appreciate your assistance and prompt response on this matter.lg...

I get the following error when trying to create a function and assign a newly created role. I'm printing the ARN and it looks OK. Using "Node.js 16.x" ``` 2023-03-17T19:26:40.245Z 342fa261-e9d8-426d-9231-60d9409a76dc INFO Role ARN is arn:aws:iam::XXXX:role/MQTT-SAVE-ROLE 2023-03-17T19:26:40.446Z 342fa261-e9d8-426d-9231-60d9409a76dc INFO Role ARN is arn:aws:iam::XXXX:role/MQTT-SAVE-ROLE 2023-03-17T19:26:41.064Z 342fa261-e9d8-426d-9231-60d9409a76dc INFO InvalidParameterValueException: The role defined for the function cannot be assumed by Lambda. ``` ``` const AWS = require('aws-sdk'); const path = require('path'); const s3 = new AWS.S3(); const lambda = new AWS.Lambda(); const iam = new AWS.IAM(); exports.handler = async (event) => { // TODO implement //Create Role var info = { name: "MQTT-SAVE-ROLE", PolicyArn: ["arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"], }; var role = await createRole(info); console.log("Role ARN is", role); //Create Function info = { name: "mqtt_save", role: role }; var respCreate = await createFunction(info); return; }; async function createRole(info) { var role; var myPolicy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }; var createParams = { AssumeRolePolicyDocument: JSON.stringify(myPolicy), RoleName: info.name }; try { var respIam = await iam.createRole(createParams).promise(); console.log("Role ARN is", respIam.Role.Arn); // successful response role = respIam.Role.Arn; //attach Role Policy for(var i = 0; i< info.PolicyArn.length; i++ ){ var policyParams = { PolicyArn: info.PolicyArn[i], RoleName: info.name }; await iam.attachRolePolicy(policyParams).promise(); } } catch (err) { console.log(err, err.stack); // an error occurred return; } return role; } async function createFunction(info) { //Create Function var params = { Code: { S3Bucket: 'base-lambda-code', S3Key : info.name + '.zip', }, FunctionName: info.name + '_test', Description: 'Function used to save data from MQTT to Dynamo DB', Role: info.role, Handler: 'index.handler', Runtime: "nodejs16.x" , PackageType: "Zip", Publish: true, Timeout: '60', }; try { var response = await lambda.createFunction(params).promise(); console.log("ARN: ",response.FunctionArn ); console.log("State: ", response.State ); } catch (err) { console.log(err, err.stack); // an error occurred return; } return response; } ```lg...