I'm trying to create IAM user permissions to allow access to invalidate one CloudFront distribution (not all distributions). I have created an IAM user and added the user to a user group with this policy (where "123" is my account ID and "ABC" is the distribution ID):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudfront:ListDistributions",
"cloudfront:UpdateDistribution",
"cloudfront:DeleteDistribution",
"cloudfront:CreateInvalidation"
],
"Resource": "arn:aws:cloudfront::123:distribution/ABC"
}
]
}
When I use a different browser to login as the IAM user I get this error message:
Failed to load distributions: User: arn:aws:iam::123:user/test is not
authorized to perform: cloudfront:ListDistributions because no
identity-based policy allows the cloudfront:ListDistributions action.
I also removed "cloudfront:ListDistributions" from the policy above and got the same result.
Is there a way to allow this user to only invalidate this CloudFront distribution?
Related
I am creating a simple API Gateway and trying to apply its auth. I created an IAM user (called postman-user) and created its credential (as AccessKeyId and SecretAccessKey).
My IAM User policy is like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:*",
"Resource": "*"
}
]
}
and in my api gateway I applied the resource policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<my account id>:root",
"arn:aws:iam::<my account id>:user/postman-user"
]
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<my account id>:<my api g id>/*"
}
]
}
I applied the key id and secret key id in postman:
enter image description here
then the problem comes. no matter how I call the api endpoint using aws credential of this IAM user, I always got this error:
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******
I thought it was postman failed to sign this AWS sigV4, then I tried this in python:
url = 'https://<apig id>.execute-api.us-west-2.amazonaws.com/beta/query/'
auth = AWSRequestsAuth( aws_access_key='<my key id>',
aws_secret_access_key='<my secret key>',
aws_host='ec2.amazonaws.com',
aws_region='us-west-2',
aws_service='api')
response = requests.get(url, auth=auth)
This error is just forever for me
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******
Anyone can tell me what I missed ? I clicked on deployAPI in resource to stage beta 100 times ...
tried python, tried postman, nothing works
it sounds like there is something missing on the api plane. It may be the you havent configured IAM auth right on the http method you try to use. I may also be that the resource policy is not attached to the api gateway. Note if the policy is updated and reattached you need to redeploy the api gateway.
Link:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html
This is an API Gateway config issue:
Resources -> click on the method -> Method Request -> Authorization: it used to be None, changing to to AWS IAM made this work.
I'm trying to follow the instructions in How can I allow a Group to assume a Role?, but run into the following error when I try to switch roles:
Invalid information in one or more fields. Check your information or contact your administrator.
In this scenario I have three AWS Accounts with example ids
CompanyMain - 000000000001
CompanyProd - 000000000002
CompanyDev - 000000000003
Where the main account has an organization that includes the the prod and dev accounts
What I'd like to do is set up a single set of IAM users on the main account and allow them to login and switch between either of the two subaccounts, instead of forcing everyone to have three separate logins.
Here's what I've done so far all on the CompanyMain account:
Create Role for accessing Prod Account
Set trusted Entity to "Another AWS Account"
Set Permission Policy to AdministratorAccess
So when I go to Role > "Trust Relationship" > Show Policy Document - it looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000002:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
With the name "company-prod-admin" so the ARN is like this:
arn:aws:iam::000000000001:role/company-prod-admin
This also comes with the link to switch roles as follows:
https://signin.aws.amazon.com/switchrole?roleName=company-prod-admin&account=000000000001
Create a Policy to Assume this Role
Service: STS
Actions: AssumeRole
Role ARN: arn:aws:iam::000000000001:role/company-prod-admin
So the Policy Document looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::000000000002:root"
}
]
}
Create Admin Group
Create a group on the main account called admin and attach the policy we just created
Create IAM User
Create user on the main account and place in admin group
Sign in as IAM User
I can now sign in as an IAM user against the main account
From there, I'd like to switch roles by using the role link or going to https://signin.aws.amazon.com/switchrole and entering the account / role info
However, I get the error that the following info is invalid
Org Setup Question
How can I create roles that across organizations? I'm a little confused as to where the role / permission needs to originate between the three accounts, but ideally I'd like to have a way for someone to login to one set of permissions for the whole organization.
You need to do the IAM policy the other way around if you want to be able to access the CompanyProd from CompanyMain then you need to create a IAM policy in the CompanyProd like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000001:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Next you login into the MainCompany and go to switch role.
in the Account, you write 000000000002, in the Role field you write root.
My IAM user has the below two policies attached to it.
I created the below IAM policy that prevents lambda from being created if it does not have the Project tag.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "lambda:*",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
}
]
}
I also need to attach/create a new execution role when creating lambda so I added below
Iam policy to my IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
I logged into aws console using that IAM user's credentials and tried to create the lambda function without the tag, but it did'nt block the resource creation.I was able to create the lambda function without the required tag but with the following errors.
You are not authorized to perform: cloudformation:DescribeStackResources.
You are not authorized to perform: lambda:GetFunctionEventInvokeConfig.
User: arn:aws:iam::****:user/testuser is not authorized to perform: lambda:ListEventSourceMappings on resource: * with an explicit deny (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 199433ed*****)
How can I completely block the resource creation?
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example-require-tag-on-create
Eventually I want to try aws:RequestTag/{TageKey} for all supported aws resources.
Not all AWS services/resources support aws:RequestTag as a condition key.
For lambda it is not allowed. Currently the supported condition keys on lambda:CreateFuncion Action are:
lambda:Layer
lambda:VpcIds
lambda:SubnetIds
lambda:SecurityGroupIds
lambda:CodeSigningConfigArn
As specified on table "Actions defined by AWS Lambda" on column "Condition keys".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html#awslambda-actions-as-permissions
You can check that link and review any other service and validate if a specific Action support the Condition that you need.
For example, for EC2:RunInstances https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html supported conditions are:
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceMarketType
ec2:InstanceProfile
ec2:InstanceType
ec2:IsLaunchTemplateResource
ec2:LaunchTemplate
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:Region
ec2:RootDeviceType
ec2:Tenancy
So in that case you can restrict creation on new EC2 instances based on the presence of Tags but for Lambda it is not supported (for now).
Is it possible to create an IAM rule or an SCP (organization rule) to enforce MFA for all users in a certain group or with certain rights (e.g. administrators or power user)?
To the best of my knowledge you can attach a deny portion to any policy or create a deny policy and attach it to any group.
For example you have "Administrators" group that has many roles added as well as "MultifactorAuthForce" policy:
Example of "MultifactorAuthForce":
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllWithoutMFA",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Update:
Just tested it on my account and the policy works. Created an account without MFA, added password and assigned to the group above. When logged as that user I was denied all actions on all resources. After, I added MFA to the user and logged in again. I was able to see the resources.
I have followed the docs at aws http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html
and the question at Can an aws IAM policy dynamically refer to the logged in username?
to create a policy for a user to list his own credentials under web console/users so he can generate his own keys.
user/Alpha
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action":["iam:*"],
"Resource":["arn:aws:iam::{myacctnumber}:user/${aws:username}"]
}
]
}
when I attach the the policy to user/Alpha, then open a new browser and log in as user Alpha > console > users, I get the error message
We encountered the following errors while processing your request
X User: arn:aws:iam::{myacctnumber}:user/Alpha is not authorized to perform: iam ListUsers on resource: arn:aws:iam::{myacctnumber}:user/
note the user/ is not displaying the friendly name as would be expected from ${aws:username}.
I have also tried changing the policy to
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action":["iam:*"],
"Resource":["arn:aws:iam::{myacctnumber}:user/Alpha"]
}
]
}
but the same error displays.
If I make one further change to the resource and make it a wildcard,
"Resource":["arn:aws:iam::{myacctnumber}:user/*"]
the full user list is displayed to to the user Alpha
Do I need extra permissions to allow a user to see only themselves?
thx
Art
The console, when displaying a list of users, uses the iam:ListUsers API call. This call cannot be restricted by resource.
Therefore, the console will function correctly if you provide a policies that permits the ListUsers call, eg:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers"
],
"Resource": [
"*"
]
}
]
}
The only other way for the user to update their own settings would be via the AWS Command-Line Interface (CLI) or an API call, since they can avoid the need to call ListUsers.