I have user Default and Default-2 both are inside the Admin Group with the AdministratorAccess permission, when I created a DynamoDB table with user Default, the table isn't visible to user Default-2.
I've tried to give user Default-2 the DynamoDBFullAccess policy but it didn't work.
I have an existing cluster, and an IAM user named 'dba-admin' with full permissions to manipulate it.
I successfully generated temporary credentials generated from the CLI:
aws redshift get-cluster-credentials --cluster-identifier db --db-user dba-admin --duration-seconds 7200
However, when I go to the query v2 editor, and try and login:
I get the following error: FATAL: user "IAM:dba-admin" does not exist; [SQL State=42704] before I can enter the password.
I have not manually created a Redshift user named dba-admin, in my understanding this is unnecessary?
Any ideas as to the issue?
My understanding is that you will need to add --auto-create flag, in order for the user to be automatically created. get-cluster-credentials will return the database user name prefixed with IAM: if AutoCreate is False or IAMA: if AutoCreate is True
I updated a dashboard in one account (in dev account) and now I want to update the dashboard in my production account.
When I created the accounts I used the following article:
https://aws.amazon.com/blogs/big-data/migrate-amazon-quicksight-across-aws-accounts/
Now, when I want to update the template I get an error:
arn user is not authorized to perform: quicksight:UpdateTemplate on resource: arn:aws:quicksight:eu-west-1:599840029772:template/**
I guess that the problem is that in the update-template command I can't change the Principal to the Test-qs-admin-user IAM user so the system recognizes only my account and my account has no permissions to perform this.
How can I use the IAM user in update-template command?
Thanks!
As an Admin user, I have created an IAM user with some restricted accesses for testing purposes.
So, when I login with the IAM user, I don't have access to unauthorized services as expected but I've noticed that I can create and remove IAM users, even if I didn't created them by myself.
So, I have three questions:
Why an IAM have the ability to remove other users?
And how can I prevent this?
When an IAM user create "sub IAM users", do these "sub users" inherit from his unauthorizations?
1) Why an IAM have the ability to remove other users?
Am IAM user is just another user of your AWS account. It appears you gave the new IAM user the permissions to create, modify, or delete other IAM user accounts.
2) And how can I prevent this ?
You need to review the IAM policies and roles assigned to the new IAM user and remove the permissions you don't want them to have. Please post the exact IAM roles and policies you have assigned to the user if you need help with this.
3) When an IAM user create "sub IAM users", do these "sub users"
inherit from his unauthorizations ?
There is no such thing as "sub users". A user is not in any way tied to the user that created them.
A user is granted the ability to create a user by virtue of the permissions granted to the first user. If you attach a policy to the second her that also grants the ability to create users that second will have permission to do so. There is a feature that allows you to grant a user the permission to create other uses whilst limiting the permissions of the second user. The feature is called Permission boundaries. By using this you can allow a user to create other users but limit what permissions that other user can grant.
There is no concept of "sub-IAM users." An IAM user is an IAM user. The user has permissions to create other IAM users because you haven't denied the iam:* policies. You said you "created an IAM user with some restricted accesses for testing purposes." Without seeing the user it's not possible to know what permissions you have granted, but you must have allowed IAM permissions. To prevent the user from creating other users, do not attach policies that allow the iam:CreateUser permission.
Yes you're right an IAM user shouldn't have the ability to manage other users. AWS has policies for this like if you want other users to give access to all services you can create a group and attach PowerUserAccessPolicy to that group. Users with PowerUserAccess wouldn't be able to manage groups and other IAM users. Further, if you want to restrict admin users access to manage other IAM users you can create custom policy to deny this affect using an inline policy.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
Any IAM user can't be called as "sub-user", as all users can be said to have the same level.When any IAM user is associated the policies for IAM operations such as create, update, delete, that user can perform such IAM operations for new or existing users.
While creating Users in Cloud. In IAM, Password policy. If you set password policy in inner sub user then it affects to parent user as well.
How is it possible ?
Example . I created user called xyz under root. I will login in xyz and change the password policy. But it affects Root user password policy as well.
The password policy that you set is for the account, not for a specific user and not for a group of users. It applies to the passwords of all IAM users. It does not apply to the AWS root account password.