Questions tagged with AWS Identity and Access Management
Content language: English
Sort by most recent
Delegate SCP administration of specific OU to IAM role of a member account
We have a shared Organization and would like to provide member accounts in an Organization to self manage SCPs on OUs where their accounts are located. We want to know if it is possible to do the following: 1. An organization has OU-A, OU-B and OU-C etc. 2. An account in OU-B wants to use IAM-User-B to create an SCP in the Management account and assign to OU-B 3. IAM-USer-B must be have the ability to create/modify/delete SCPs in Organizations in the Management account, but can ONLY assign the SCP to OU-B. 4. Any attempt to assign an SCP to OU-A or OU-C will be denied. 5. Auditing is in place and a notification is triggered of any invalid attempt by IAM-User-B 6. The same principle must be applied to users in OU-A and OU-C. Any help is appreciated. Thanks
Is there and open source security platform(CIEM/CSPM) which implements or calculates AWS's effective permissions for stating out the permission boundaries of iam identities?
Hi. I wanted to know if there was any opensource security platform which uses the AWS permissions boundary to evaluate the effective permission for a particular identity? Can someone point me out to some documentation for github for such products. Thanks
s3 backup error to aws backup
I am facing an error when trying to backup s3 bucket to AWS backup....Everything i have check but gett the following error: Unable to perform events:ListRules on AwsBackupManagedRule The backup job failed to create a recovery point for your resource arn:aws:s3:::hppp due to missing permissions on role arn:aws:iam::676968646773:role/service-role/AWSBackupDefaultServiceRole. Help me out with this, if possible please provide steps to troubleshoot it.Thanks
How to support expired password change with an IP restriction (user should be on a VPN)?
We currently have explicit denies policies to prevent our IAM users to do any action unless they are logged into our VPN via an IP address list restriction. The issue is that in the case an user would let his / her password expire, then this user will be forced by AWS to change it at the next login attempt: in that case, the API call to AWS to effectively change the password will be performed from AWS itself on behalf of the user, which of course is not logged on our VPN and therefore does not match the IP address list restriction. The only workaround so far is to create another role lifting this VPN restriction just for this use-case, assigned to users temporarily just to give them the time to change their password. On top of bring overhead, it creates risk if the assignment back to the secure VPN-restricted role is not done. Any hint to a more elegant / better solution? Thanks
Cross-Region CDK Deployments without bootstrapping every region
Is it possible to deploy the same stack across multiple regions in the same account or different accounts without actually bootstrapping every region in every account, rather use the same bootstrapped IAM Roles created in a single region. I understand certain resources such as the KMS Key, SSM Parameter Store are region bound, however resources which are global such as IAM Roles and S3 Buckets don't need to be recreated for every region. Please advise if this is possible with customized bootstrapping? If so, how to exactly tweak the bootstrap template for this?
SAM Deploy failed to create a lambda function
**Steps to Reproduce this issue:** Visual Studio Code & AWS ToolKit to deploy a Lambda function ( Python based ) to us-east-1. I was using a IAM user ( not an admin ) that has following the managed policies attached to my IAM user * IAMFullAccess * AmazonSNSFullAccess * AmazonSQSFullAccess * AmazonS3FullAccess * AWSCloudFormationFullAccess * AWSLambda_FullAccess **Observed:** Observed the following error and the CFN deployment was rolledback 2022-11-04 18:42:26 UTC-0700 ServerlessRestApi CREATE_FAILED User: arn:aws:iam::XXXXXXXXXXXXXXXXX:user/demo-test is not authorized to perform: apigateway:POST on resource: arn:aws:apigateway:us-east-1::/restapis because no identity-based policy allows the apigateway:POST action (Service: AmazonApiGateway; Status Code: 403; Error Code: AccessDeniedException; Request ID: 6f0eef1d-14c4-4e53-a972-4ca3d21cf256; Proxy: null) **Ask:** 1) Can you please help me on how I should interpret this error and what specific permission / policy change that I need to do to get myself unblocked. 2) Any AWS Console tools in IAM like Access Advisor that could help me review the access logs / audit trials and suggest me what specific managed policy that I need to attach or which inline policy fragment that I need to attach to this user?. Any references and guidance on how to fix this issue would be very helpful Thanks!
How to know if a specific user is verified using the amazon-cognito-identity-js module if the type of the verification message is a link?
Need to restrict IAM user
We have production and UAT environment in same AWS account now my requirement is to restrict IAM user **A** can manage all activities related to only UAT instances like an admin access and same way IAM user **B** can manage Production instances only. Is it possible within same AWS account?
I am not able to delete AD connector and need assistance
I am not able to delete AWS directory service / AD connector Error:-You cannot disable the AWS Management Console because delegated users are still assigned to it. Remove all users and groups from the IAM roles below and try again Requesting assistance on this as I am getting billed for inoperable AD services and have a basic plan
Identity Center List users and users in groups
Hi Is there an easy way to list all the users in IAM Identity Center and all the groups they belong to? I would like to run a PowerShell/CLI command and run it out in to a .csv if possible. Maybe there is an export .csv function in the management console but I cannot seem to find it. Any help would be much appreciated Regards MMuser65