Questions tagged with IAM Policies

How to query IAM Role and Policies to be Deprecated. Does AWS Access Analyzer list IAM role and policies which are to be deprecated? Also is there a better way to query list of Action Items which are deprecated?lg...

Hello, This inconsistency between ECS and Batch is quite inconvenient for our multi-account CI/CD. There is no clear documentation from AWS about ARN vs Name in definition files. It is supported in one, but not the other. This task-definition.json works for ECS: ``` { ... "taskRoleArn": "[TASK_ROLE_NAME]", "executionRoleArn": "[EXECUTION_ROLE_NAME]", .... } ``` But trying to register a similar job-definition.json to Batch returns this error: ``` Error executing request, Exception : executionRoleArn batch-job-execution-role-dbt-runner is not an iam role arn, RequestId: c55d9c71-c330-4f8a-9043-b0956267b482 ``` Thank youlg...

I have been searching for the culprit. Everything from the article below seems in place, however, I can't get DMS Migration Tasks to create a group and log events to Cloudwatch. This has been working perfectly for a long time and recently stopped after a renaming effort. https://aws.amazon.com/premiumsupport/knowledge-center/dms-cloudwatch-logs-not-appearing/ **Is there anywhere I can look to see why the log group creation failed or to verify it is a permission issue for sanity?** **Here are the task settings for each task where logging is enabled:** ``` { "Logging": { "EnableLogging": true, "EnableLogContext": false, ``` **Here is a dms granted IAM Role:**  **Here is the role above's policy attachment:** lg...

Hi, Is there a way to obtain a username of a user that's loging in with Identity Center? I want to implement [this](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse) same thing that works fine with regular IAM users. Thanks!lg...

I'm working with the Alpakka AWS s3 (https://doc.akka.io/docs/alpakka/current/s3.html) connector and running into an issue with the way it validates the existence of a bucket. I've narrowed down the issue to the use of a condition in my IAM policy that I can't seem to find a workaround for. Hoping someone here might have a suggestion. A bit of background: I have an s3 bucket "my-bucket" with multiple sub-folders. I need to restrict access to a specific subfolder for a specific user. To accomplish this, I have created the following policy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRootLevelListingOfBucket", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket" ], "Condition": { "StringEquals": { "s3:prefix": [ "" ], "s3:delimiter": [ "/" ] } } }, { "Sid": "AllowSubFolderListing", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket" ], "Condition": { "StringEquals": { "s3:prefix": [ "users/", "users/chris/" ], "s3:delimiter": [ "/" ] } } }, { "Sid": "AllowSubFolderReadAccess", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": "arn:aws:s3:::my-bucket/users/chris/*" } ] } ``` With this policy I'm able to successfully use the AWS CLI s3 functions to confirm the desired access level to the `my-bucket/users/chris` sub-folder. ``` $ aws s3 ls my-bucket PRE users/ $ aws s3 ls my-bucket/users/chris/ 2023-02-27 16:21:43 0 2023-02-27 16:22:25 11801099 1003.csv 2023-02-27 16:22:32 11569175 1020.csv 2023-02-27 16:22:45 12099242 1091.csv 2023-02-27 16:23:02 11445674 1132.csv 2023-02-27 16:23:35 11796654 1145.csv $ aws s3 cp s3://my-bucket/users/chris/1003.csv ./ download: s3://my-bucket/users/chris/1003.csv to ./1003.csv ``` The issue I'm running into is that the Alpakka AWS s3 bucket check (https://doc.akka.io/docs/alpakka/current/s3.html#check-if-bucket-exists) uses the HeadBucket endpoint (https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html) to validate access to the bucket. This requires `s3:ListBucket` privilege on the bucket, but it seems that the condition in my AllowRootLevelListingOfBucket statement in the policy results in a 403 response from the HeadBucket endpoint: ``` $ aws s3api head-bucket --bucket my-bucket An error occurred (403) when calling the HeadBucket operation: Forbidden ``` The quick fix is to remove the StringEquals condition in the AllowRootLevelListingOfBucket statement, but this allows full listing of the bucket, which is not acceptable. Any ideas on how to maintain the bucket and sub-folder restrictions and get a successful response from the HeadBucket endpoint?lg...

Hi, I'm an AWS administrator trying to transfer from the old IAM user approach to the new IAM Identity Center approach. In the past, user Bob was attached to user group 'Developers' and then I gave Developers access to 'S3FullAccess' In the new system, user Bob is attached to group 'Developers' to an account 'Developers' and then attach a permissions set with 'S3FullAccess' to that account. My question is, why is there this abstraction to accounts and why do they need their own **email**? Am I expected to make a *new* email per group of users in AWS? This just seems like a redundancy. My exact business case is that I'm trying to create a group of **admins** (from which there's already the management account we've been using) and then a group of **developers** (which have a different current UserGroup (without a separate email)) with least-privileged access to a few services for an application we're building, and then also a group for our **web developers** that maintain our website through AWS. I'd rather corral them in AWS internally without external email accounts as the old IAM currently does, and I don't understand the usefulness of abstracting them to accounts. **Am I missing something? Is there another way to do this, or is there usefulness I'm not seeing?** To accomplish my current function with IAM Identity Center I need to have a **management account** (the first user), an **application development account** (account A), and a **website development account** (account B) correct?lg...

I accidentally deleted RBAC because I was initially trying to solve a completely different issue related to kube-apiserver-kubelet-client below after upgrading EKS to version 1.25 > (user=kube-apiserver-kubelet-client, verb=get, resource=nodes, subresource=proxy) Now I completely lost access to EKS Cluster. I don't know how to get it back. For example running this command will give the error below. > kubectl auth can-i list secrets --namespace bachelierdev no - RBAC: clusterrole.rbac.authorization.k8s.io "kube-developer-cr" not found I'm not sure how to apply rbac (ClusterRole and ClusterRoleBinding) without access to EKS Here is a screenshot when I'm trying to apply RBAC lg...

I am following IoT Greengrass tutorial - https://docs.aws.amazon.com/greengrass/v2/developerguide/defer-component-updates-tutorial.html. I am stuck on the step "gdk component publish". I am unable to publish the helloworld component to cloud service from my development computer. Issue ****** [2023-03-01 19:51:30] INFO - Getting project configuration from gdk-config.json [2023-03-01 19:51:30] INFO - Found component recipe file 'recipe.json' in the project directory. [2023-03-01 19:51:30] INFO - Found credentials in shared credentials file: ~/.aws/credentials [2023-03-01 19:51:34] INFO - No private version of the component 'com.example.BatteryAwareHelloWorld' exist in the account. Using '1.0.0' as the next version to create. [2023-03-01 19:51:34] INFO - Publishing the component 'com.example.BatteryAwareHelloWorld' with the given project configuration. [2023-03-01 19:51:34] INFO - Uploading the component built artifacts to s3 bucket. [2023-03-01 19:51:34] INFO - Uploading component artifacts to S3 bucket: greengrass-component-artifacts-<<region>>-<<aws account>>. If this is your first time using this bucket, add the 's3:GetObject' permission to each core device's token exchange role to allow it to download the component artifacts. For more information, see https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html. [2023-03-01 19:51:34] INFO - Updating the component recipe com.example.BatteryAwareHelloWorld-1.0.0. [2023-03-01 19:51:34] INFO - Creating a new greengrass component com.example.BatteryAwareHelloWorld-1.0.0 [2023-03-01 19:51:35] ERROR - Failed to create the component using the recipe at 'D:\IOT_GG_POC\com.example.BatteryAwareHelloWorld\greengrass-build\recipes\com.example.BatteryAwareHelloWorld-1.0.0.json'. [2023-03-01 19:51:35] ERROR - Failed to publish new version of the component 'com.example.BatteryAwareHelloWorld' =============================== ERROR =============================== Could not publish the component due to the following error. Failed to publish new version of component with the given configuration. Creating private version '1.0.0' of the component 'com.example.BatteryAwareHelloWorld' failed. An error occurred (ValidationException) when calling the CreateComponentVersion operation: Invalid Input: Encountered following errors in Artifacts: {s3://BUCKET_NAME/COMPONENT_NAME/COMPONENT_VERSION/com.example.BatteryAwareHelloWorld.zip = Specified artifact resource cannot be accessed} Artifact is successfully created in S3 but it is failing to create component on IoT Greengrass service. I have given s3 full access to the user access keys in ~/.aws/credentials. Also given full access on role "GreengrassV2TokenExchangeRole" which Greengrass core devices use to download components from s3. Can anyone suggest what am I missing here.lg...

How do I go about getting multiple cloudtrails into a single logging account in cloudwatch? I was thinking maybe kinesis with CW subscription filter? Or is there another way.lg...

I'm stuck on Exercise 5: Create an Amazon S3 Bucket. I can get to task 3 Modifying the S3 bucket policy But, when I try to save the policy I receive an unknown error. Upon clicking on the API response "Invalid principal in policy" I'm not sure if I missed a critical step in the earlier parts of this course or not.lg...

I'm trying to setup a scp to prevent iam:CreateUser and iam:CreateAccessKey for all the IAM users except the administrators. The issue is administrators IAM role arn is like arn:aws:iam::--------:role/aws-reserved/sso.amazonaws.com/eu-north-1/AWSReservedSSO_AWSAdministratorAccess and its dynamically changes for every account. Any idea how I can define a common IAM role arn which covers all administrator's IAM roles across my accountslg...

Hello everyone, I am trying to figure out a way to automate access key rotation for IAM users. We have several users that have their own IAM programmatic access key and I am trying to figure out a way to force the user to rotate their access key after 90 days. It would be nice to also have some sort of SNS topic that will inform the user. I attempted to use the ASA Key Rotation document that AWS provided but kept on running into CloudFormation template errors which include Malformed Document and missing resources in the .PY files. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html Any guidance on this would be awesome. Thank you!lg...