I have a cloudwatch evidently project in one account and have a lambda in another account that wants to call EvaluateFeature on the cross-account Evidently project. Is this possible?
I've been using this client https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/evidently/EvidentlyClient.html
and even though I give it the project arn of the target account's project (in the project parameter of EvaluateFeatureRequest), it seems to re-route the EvaluateFeature request into the account the lambda resides in. Not sure if anyone has done something similar before.
I have a role in the Evidently account that can be assumed by Lambda service principal. With the stsAssumeRole permission also part of the Lambda's role policy. I just can't get EvaluateFeature to direct itself to the correct Arn/project.
Thanks.
Related
I am trying to connect to an AWS AppSync, located in a custom profile/account/role under the root/default account, from an AWS Lambda in the root/default account.
The below python code works fine locally, because I have configured "custom_profile" in my local .aws/config file.
session = boto3.Session(profile_name='custom_profile')
client = session.client('appsync', region_name='<region>')
But is there any way to make this code run in the AWS Lambda in the root account? How can AWS Lambda understand what is "custom_profile"? Where and how can I map "custom_profile" to the respective role ARN?
I saw a probable solution to this problem on this link, but I have not tried it.
Has anyone faced a similar issue and know of an easier solution to this problem than in the link?
The link that you've referenced is the way to go. Permissions that an AWS Lambda function has, are to be defined in a role for that function. This can include permissions to assume a role in another account.
You can then use the Security Token Service (or STS for short) and execute the AssumeRole action. This will provide you with AWS tokens that you can use to authenticate your calls to the other account.
You will also have to configure the account you're executing the lambda function in as a trusted entity in the role you want to assume in the second account.
I have an IAM role with AdministratorAccess, but when I upload a custom template to AWS CloudFormation, I get the following error:
Operation failed, ComputeEnvironment went INVALID with error:
CLIENT_ERROR - You are not authorized to call EC2 Describe operations.
It is required to perform CreateLaunchConfiguration operation.
All the other resources seem to complete successfully, so I'm not sure if there is some sort of role delegation taking place?
It is possible that you are affected by Service Control Policies (SCPs) or by Permission Boundaries or even other policy types.
Identity-based policies
Resource-based policies
Permissions boundaries
Organization SCPs
Access control lists
Session policies
Regarding SCPs:
An SCP restricts permissions for IAM users and roles in member
accounts, including the member account's root user. Any account has
only those permissions permitted by every parent above it. If a
permission is blocked at any level above the account, either
implicitly (by not being included in an Allow policy statement) or
explicitly (by being included in a Deny policy statement), a user or
role in the affected account can't use that permission, even if the
account administrator attaches the AdministratorAccess IAM policy with
/ permissions to the user.
Also see How to use service control policies to set permission guardrails across accounts in your AWS Organization
As this article states,
The member accounts of an AWS Organization are unable to see the SCPs
that have been applied to them. Further, when actions are denied,
there is no way to know whether that is due to an IAM policy, an SCP,
or something else (ex. session policy, IAM boundary, resource policy).
This means there will be no indication in the error message from an
API call or in the CloudTrail log to show what denied the call. This
can make debugging issues difficult.
This article has some useful diagrams that show the different things that could be affecting/limiting the access.
I've been working on this problem for four days and finally came up with a solution that I think resolves it.
There are two kinds of CDK bootstrap: legacy and modern. Legacy is the default.
There appears to be a bug in the legacy bootstrap that affects some accounts and not others. I was able to verify that the same code worked for me on one account but produced the exact symptoms of this problem on a newly created account.
If you are not stuck with legacy bootstrap for some reason, just convert over to modern bootstrap. That should make the error (and the reason for the error) go away.
The instructions are here: https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html
Basically, you have to set an environment variable before you call cdk bootstrap, and then you have to change either some code or some configuration in your project.
It is not intuitive that this feature exists in the CDK at all, nor that it would be the fix for this particular problem. However, it cleared it up for me. Maybe it will do the same for others.
In the Documentation for Resource-Based Policies for Lambda, it mentions that it's best practice to include the source-account incase for example you specified a source-arn which referred to an s3 bucket which does not have the account id in the arn, so if you were unlucky and somebody deleted your bucket, and another account created a bucket with the same name they could indirectly access your Lambda function.
But then you also have the notation of a Principal, as in one of the examples they have:
"Principal":{"AWS":"arn:aws:iam::210987654321:root"}
What is the difference between Principal & source-account. Do you use the Principal in the case when you want to refine the permissions down to a particular role or user within an account? And if this isn't your situation and you only want to grant access to your Lambda from an entire account you would use source-account?
One reason of using the aws:SourceAccount is the mitigation of The Confused Deputy Problem.
Specifically, in the context of S3, it is used so that S3 is not considered as the confused deputy.
The principal is what has the permission to trigger the resource, for example in this case the principal is actually the S3 service. This is because S3 is not configured to assume IAM roles, the service is actually the caller of the Lambda function.
The conditions underneath then scope the permissions to only allow the S3 service to call when it is coming from the source account/bucket. Without this it would be an open scope to Amazon S3.
You're correct that principals can be used to reference IAM users/roles and in your example the entire AWS account (assuming the caller is actually an IAM user/role). You would use this method if the caller was an IAM entity vs another AWS service.
Is there a way to look up the permissions you'll need enabled in order to make a call to the AWS API?
For example, I want to call PutMetricAlarm on the CloudWatch API so I should need at least the Action cloudwatch:PutMetricAlarm Allowed on that resource. But what else is the minimum I need?
There is a one-to-one relationship between actions defined in the API and IAM actions.
In your example with PutMetricAlarm, no other permission than cloudwatch:PutMetricAlarm is needed.
The IAM action name (the part after the :) is always identical to the name of the action in the API.
The prefix (the part before the :) is a constant for each service but is not always identical to the service name (e.g. CloudWatch Logs is logs, Firewall Manager is fms).
Also note that the prefix and the action name are case insensitive.
Good references:
Actions, Resources, and Condition Keys for AWS Services
AWS Policy Generator
Complete AWS IAM Reference (cloudonaut)
My code is running on an EC2 machine. I use some AWS services inside the code, so I'd like to fail on start-up if those services are unavailable.
For example, I need to be able to write a file to an S3 bucket. This happens after my code's been running for several minutes, so it's painful to discover that the IAM role wasn't configured correctly only after a 5 minute delay.
Is there a way to figure out if I have PutObject permission on a specific S3 bucket+prefix? I don't want to write dummy data to figure it out.
You can programmatically test permissions by the SimulatePrincipalPolicy API
Simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.
Check out the blog post below that introduces the API. From that post:
AWS Identity and Access Management (IAM) has added two new APIs that enable you to automate validation and auditing of permissions for your IAM users, groups, and roles. Using these two APIs, you can call the IAM policy simulator using the AWS CLI or any of the AWS SDKs. Use the new iam:SimulatePrincipalPolicy API to programmatically test your existing IAM policies, which allows you to verify that your policies have the intended effect and to identify which specific statement in a policy grants or denies access to a particular resource or action.
Source:
Introducing New APIs to Help Test Your Access Control Policies
Have you tried the AWS IAM Policy Simulator. You can use it interactively, but it also has some API capabilities that you may be able to use to accomplish what you want.
http://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulateCustomPolicy.html
Option 1: Upload an actual file when you app starts to see if it succeeds.
Option 2: Use dry runs.
Many AWS commands allow for "dry runs". This would let you execute your command at the start without actually doing anything.
The AWS CLI for S3 appears to support dry runs using the --dryrun option:
http://docs.aws.amazon.com/cli/latest/reference/s3/cp.html
The Amazon EC2 docs for "Dry Run" says the following:
Checks whether you have the required permissions for the action, without actually making the request. If you have the required permissions, the request returns DryRunOperation; otherwise, it returns UnauthorizedOperation.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/CommonParameters.html