i currently want to setup a GreengrassV2 fleet provisioning (on an EC2 Instance where needed ports are open).
I've build the certificate and the thing/core device gets provisioned.
I want to make this Production Ready so i've used the minimal greengrass core iot policy:
https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot-policy
here is my policy:
{
"Statement": [
{
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive",
"iot:Connect"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Action": [
"iot:Connect"
],
"Effect": "Allow",
"Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}*"
},
{
"Action": [
"iot:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
"arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*",
]
},
{
"Action": [
"iot:Receive",
"iot:Publish"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrass/health/json",
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrassv2/health/json",
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*"
]
},
{
"Action": [
"greengrass:ResolveComponentCandidates",
"greengrass:Get*",
"greengrass:List*",
"greengrass:Describe*",
"greengrass:Resolve*",
"greengrass:PutCertificateAuthorities"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "iot:AssumeRoleWithCertificate",
"Effect": "Allow",
"Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
}
],
"Version": "2012-10-17"
}
The issue is i can not get the deployment for the thing group. The greengrass Core device always disconnects
Log Message:
[...]
2023-01-05T08:58:18.602Z [DEBUG] (pool-2-thread-37) com.aws.greengrass.mqttclient.AwsIotMqttClient: Subscribing to topic. {clientId=TestCustomerCoreDevice, qos=AT_LEAST_ONCE, topic=$aws/things/TestCustomerCoreDevice/jobs/12312397-1d2d-1d2d-1d2d-01de629ddcf2/namespace-aws-gg-deployment/update/rejected}
com.aws.greengrass.mqtt.bridge.clients.MQTTClient: Unable to connect. Will be retried after 120 seconds
[...]
if i now allow subscribe to the resource:
"arn:aws:iot:eu-central-1:123123123123:*"
it works - however this is not what i want for production.
i think it hast to do with the topicfilter/$aws resources but i can not figure out what the issue is.
After this i can also subscribe to the topic data/TestCustomerCoreDevice/test
Does somebody know how to resolve this issue?
thanks in advance!
I cleaned up a bit your policy since it was kind of having duplicate information:
{
"Statement": [
{
"Action": [
"iot:Connect"
],
"Effect": "Allow",
"Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}"
},
{
"Action": [
"iot:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
"arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*"
]
},
{
"Action": [
"iot:Receive",
"iot:Publish"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrass/health/json",
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrassv2/health/json",
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*",
"arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Action": [
"greengrass:ResolveComponentCandidates",
"greengrass:Get*",
"greengrass:List*",
"greengrass:Describe*",
"greengrass:Resolve*",
"greengrass:PutCertificateAuthorities"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "iot:AssumeRoleWithCertificate",
"Effect": "Allow",
"Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
}
],
"Version": "2012-10-17"
}
Related
I am trying to create a state machine in AWS stepfunctions using AWS sdk Eg.,
stepfunctions.createStateMachine(params, function(err, data)...
I created a lambda in AWS console and added the code for creating state machine. Also I provided the permissions for the Role to execute this lambda and create state machine. I verified the Role Permissions using Simulator also which is fine (allowed). But when I execute the lambda, I am getting AcccessDeniedException.
errorMessage": "User: arn:aws:sts::555555555:assumed-role/SFN_API_role/SFAPITest is not authorized to perform: states:CreateStateMachine on resource: arn:aws:states:us-east-1:555555555:stateMachine:*",
"errorType": "AccessDeniedException
"SFN_API_role" is the role and "SFAPITest" is the lambda.
Here is the Policy defined:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeStateMachine",
"states:StartExecution",
"states:DeleteStateMachine",
"states:ListExecutions"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:GetExecutionHistory",
"states:StopExecution"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeActivity",
"states:DeleteActivity",
"states:GetActivityTask",
"states:SendTaskSuccess",
"states:SendTaskFailure",
"states:SendTaskHeartbeat"
],
"Resource": [
"*"
]
}
]
}
Any pointers are appreciated!
You are using "Resource": ["*"] instead of "Resource": "*". Just change the first portion of your policy to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": "*"
},
...
I am using a default policy Amazonssmmaintainancewindowrole. In that policy I have modified the permissions for ssm:SendCommand to restrict the access to specific EC2 instances which is not working. If I give the resource as "*" for ssm:SendCommand, it is working fine. Please let me know what I am doing wrong with respect to restricting access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Action": [
"ssm:GetAutomationExecution",
"ssm:GetParameters",
"ssm:ListCommands",
"ssm:StartAutomationExecution"
],
"Resource": [
"*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:eu-west-1:*:instance/myinstance-id",
"arn:aws:s3:::bucketname",
"arn:aws:ssm:us-east-1:*:document/AWS-ApplyPatchBaseline"
]
},
{
"Sid": "2",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:SSM*",
"arn:aws:lambda:*:*:function:*:SSM*"
]
},
{
"Sid": "3",
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:StartExecution"
],
"Resource": [
"arn:aws:states:*:*:stateMachine:SSM*",
"arn:aws:states:*:*:execution:SSM*"
]
}
]
}
we have multiple aws sub accounts which are under a billing account (organization). since those accounts are connected via vpn to our private cloud i want prevent that developers can open ports to the internet by default. is there a good default policy to prevent most basic stuff which can cause security problems without limiting the developers to much? basically the should be allow to start and stop stuff inside but we should make sure that they can't open stuff which could cause security problems to our privat cloud. i just went quick over some settings and came up with this policy, but i would like to hear if there is more to consider or if there are already good examples.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"aws-portal:ModifyAccount",
"aws-portal:ModifyBilling",
"aws-portal:ModifyPaymentMethods"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"budgets:ModifyBudget"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"directconnect:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"cur:DeleteReportDefinition"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"organizations:CreateAccount",
"organizations:CreateOrganization",
"organizations:CreateOrganizationalUnit",
"organizations:DeleteOrganization",
"organizations:DeleteOrganizationalUnit",
"organizations:DeletePolicy",
"organizations:DisablePolicyType",
"organizations:InviteAccountToOrganization",
"organizations:LeaveOrganization",
"organizations:MoveAccount",
"organizations:RemoveAccountFromOrganization",
"organizations:UpdateOrganizationalUnit",
"organizations:UpdatePolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"ec2:AttachVpnGateway",
"ec2:CreateVpnConnection",
"ec2:CreateVpnConnectionRoute",
"ec2:CreateVpnGateway",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteVpnGateway",
"ec2:DetachVpnGateway"
],
"Resource": [
"*"
]
}
]
}
I am trying to setup and assign a policy so that a user can only trigger AWS Systems Manager Services (SSM) Run Commands on only authorized or assigned EC2 instances to them.
To do this, I am following instructions from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html and as per it, I created below custom policy with provisioning access for only 1 EC2 instance:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::test-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1:123456789012:document/AWS-RunPowerShellScript"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
After I assigned above policy to a test user and when I log in using it and navigate to "Run Command", under Target Instances I see other EC2 instances as well and I am even able to execute commands to them as well. Shouldn't the user only see the 1 instance that is specified in above policy?
I do not understand what am I doing wrong here and how to fix it? Appreciate your help.
Thanks!
I have below IAM policy assigned to all my EC2 system instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::amazon-ssm-packages-*"
}
]
}
Also, I have below IAM policy assigned to test user to so that they can Start/Stop/Restart EC2 instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
}
]
}
I was able to make this work by adjusting policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::nsight-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
]
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
My requirement was to only allow execution of PowerShell scripts so the line:
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
You can replace AWS-RunPowerShellScript with * to allow all commands.
Also, the EC2 Role assignment was necessary since without it I couldn't see any instances under Run Command.
Please also know that the user would see all instances under Run Command but will only be able to execute commands for the EC2 instances for which the policies are assigned to, user account. I do not think there is any option to suppress this.
Thanks for your contribution and helpful tips.
I'm trying to use a Lambda function to trigger an Elastic Transcoder job, but I keep getting this error message:
AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/xxxx/xxx is not authorized to perform: elastictranscoder:CreateJob on resource: arn:aws:elastictranscoder:xxxxx:pipeline/xxxxx
My IAM user policy covers all access requirements:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1465486106000",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:Put*",
"s3:ListBucket",
"s3:*MultipartUpload*",
"s3:Get*"
],
"Resource": "*"
},
{
"Sid": "2",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*"
},
{
"Sid": "3",
"Effect": "Deny",
"Action": [
"s3:*Delete*",
"s3:*Policy*",
"sns:*Remove*",
"sns:*Delete*",
"sns:*Permission*"
],
"Resource": "*"
}
]
}
Why am I getting the AccessDeniedException and how can I fix it?
Change your policy to below and then try it will work
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1465486106000",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"elastictranscoder:*",
"s3:Put*",
"s3:ListBucket",
"s3:*MultipartUpload*",
"s3:Get*"
],
"Resource": "*"
},
{
"Sid": "2",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*"
},
{
"Sid": "3",
"Effect": "Deny",
"Action": [
"s3:*Delete*",
"s3:*Policy*",
"sns:*Remove*",
"sns:*Delete*",
"sns:*Permission*"
],
"Resource": "*"
}
]
}
You dont need to change json by editing.
First of all detect which role you want to edit ?
1-) Click Permisson http://prntscr.com/j1giww
2-) see the role name http://prntscr.com/j1gj6s
3-) go to IAM Roles
4-) select the roles that you see at step 2
5-) edit policy and add Transcoder Full Access ( Or selected access )