Questions tagged with AWS Resource Access Manager
Content language: English
Sort by most recent
Browse through the questions and answers listed below or filter and sort to narrow down your results.
Lake Formation Column-based access on a resource link
First, what I see in the very last screenshot image of the [Granting resource link permissions](https://docs.amazonaws.cn/en_us/lake-formation/latest/dg/granting-link-permissions.html) page is that the '*column based permissions'* option is disabled ... ![Different presentation](/media/postImages/original/IMOfG-uH-4RX6SDHS0qdQJGA "Different presentation") ..., but in our account, for a *resource link* I have a different presentation with different options, no *super*. ![No super persmission](/media/postImages/original/IMkBkl3vAqTtKOQ4T5ueF_ug "No SUPER permission") 1. Not blocker : I wonder if the difference between the two images is only a recent change in the interface. 2. **Blocker:** Why it isn't possible to grant *column-bassed* permissions on a resource link? Our use case is the following. - Producer account : Sharing 'tableA' with an external account (Consumer) with Alter, Describe, Insert & Select permissions with **all columns**. Done with both *cross account versions* - Consumer account: - Create resource link *tableA_producer* from the *Producer.tableA* shared table. - Trying to grant access to some users to *tableA_producer*, but to only some columns ... But what I see now is that it is not possible, why ? We don't want to do multiple resource sharings from Prod for the same resource. ______ **Bonus question :** What are the differences between the '*cross account version settings*' version 1 and 2 ? ![Enter image description here](/media/postImages/original/IMjSdPo65yRVSIWQr17sHttg)
Limitations of Resource Access Manager
1. What will happen if Subnet A from AWS account A with a CIDR of 22.214.171.124/24 is being shared with AWS Account B, which also has a subnet of 126.96.36.199/24. How does the resource differentiate between the two subnets. Lets say there is EC2-A in subnet A with the same IP as EC2-B in subnet B, how will the resources know which EC should they be sending the data to? I did read out IPAM but that did not help much. 2. What are the risks of using Resource Access Manager?
S3 + SSO permission to list a predefined list of buckets.
Hello, I would like to let group of users to see only subset of my account buckets, so they do not try to use these buckets they have no access to. I looked all over and found no solution, many people experience the same but no definite working setup is available. The users are using SSO with temporary credentials so they are not available at the account. The ListBuckets API requires s3:ListAllMyBuckets permission which does not accept resource. Managing bucket ACL per each owner is something that seems a huge overhead to manage, and I could not find how to integrate this into the roles. Is there any option to apply a filter on the output of ListBucket, preferably to have a filter based on rule permissions. I thought that the permission to perform s3:GetBucketLocation will be queried per each bucket so that ListBuckets will return only these buckets that the role have permission to locate, this may be s a clean solution. I will appreciate any hint, how do I return my user roles only pre-defined list of buckets. Regards, Alon  https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
Unable to create nitro enclaves using aws cli
I am trying to create an AWS nitro enclave as per the documentation ``` aws ec2 run-instances --image-id ami_id --count 1 --instancetype supported_instance_type --key-name your_key_pair --enclave-options 'Enabled=true' ``` The command throws the following error ``` aws ec2 run-instances --image-id ami-<id> --count 1 --instance-type c5.2xlarge --key-name dev_nitro.pem --region us-east-1 --enclave-options 'Enabled=true' An error occurred (VPCIdNotSpecified) when calling the RunInstances operation: No default VPC for this user. GroupName is only supported for EC2-Classic and default VPC ``` What will be the solution for this? Cannot see any solutions to the AWS nitro documentation. How to solve this issue?
Can you automate cross-account private CA certificate renewal through AWS RAM and ACM Private CA?
We're planning to use AWS RAM and ACM Private CA for central private certificate authority (CA) management across multiple AWS accounts. If we were to use AWS RAM in one account (account A) to share a private CA with a second account (account B), and then account B uses the private CA from account A in ELB and CloudFront, would the private CA in account B also be renewed automatically when the private CA in account A is renewed? Or would we need to do that manually?