We have Mobile PlatformApplication arns in AWS account-1, and we can publish PNs to endpoint arns with our java-service in the same account.
But when trying to publish PNs with our java-service in different AWS accounts, we get com.amazonaws.services.sns.model.AuthorizationErrorException.
There seems no option to provide a resource-based policy for these SNS PlatformApplication. How can we solve this?
Thanks in Advance!
Today, you cannot do cross-account publishes directly to endpoints.
However, you can create an IAM role under the account with the endpoints that the other account is able to assume. Once the role has been assumed, the second account would be able to publish to the endpoint as usual.
Related
We have an AWS account with an IAM group, this group contains practically 6 users and most operations in the account are done by this 6 users.
There are 12 Lambda Functions that have been created in the account and there is a particular lambda function (created by one of the 6 users) that I am trying to know who created it (The Lambda function owner).
Please is there a way to do this ?
Resources created in AWS Accounts are associated with the Account, not the IAM User that created the account.
When a user requests AWS to create resources, IAM verifies that the user has permission to create resources. If so, then the resources are created in the Account, but no relationship with the user is kept on that resource.
You can, however, use AWS CloudTrail to view information about the API request that created the resource.
From What Is AWS CloudTrail? - AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
I have two aws accounts. I have a user in account a which needs to have full access to aws data pipeline in account B.
How to achieve this?
I have attached a policy to the user in account A to have access to data pipeline.
But how do I attach a policy to datapipeline in account B so that it accepts requests from this user from account A?
AWS STS with Assume Role will let you setup with cross account resource access. There is a very descriptive video by AWS to help understand & setup the same. For your case, instead of EC2 you will just give Datapipeline access.
I am new to aws and I want to integrate IAM in my aws account.
I have gone through this link:
https://www.youtube.com/watch?v=KQheV84Ae40&list=PL_OdF9Z6GmVZCwyfd8n6_50jcE_Xlz1je&index=3
but not getting the proper idea.
Is there any example for that?
You can use IAM to create Users in your AWS Account.
You can then associate policies with those users, which grant them permission to use particular AWS services, such as Amazon S3. IAM is automatically integrated with every AWS service.
See: Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket | AWS Security Blog
IAM service in AWS is used for user management, that helps you securely control access to AWS resources. In IAM you can create users and you can assign roles to the users based on your needs. you can create custom policies also, AWS provides many custom policies by default once go through Its mostly self-explanatory.
How do I find out what IAM user created certain metrics and alarms?
I tried CLI commands: describe-alarms and list-metrics and they don't seem to provide this information nor when looking at the configuration for the alarms and metrics in the AWS console.
While users call APIs to create resources in AWS, those resources are associated with the AWS Account rather than a user. As long as a user has permission to create resources in the account, the resources will be created/viewed/deleted.
However, you can use AWS CloudTrail to retrieve information about the API calls themselves:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
I am using an MQTT client in JavaScript (paho-mqtt-js) to connect to an AWS IoT endpoint and I am able to connect if I use my own AWS credentials.
However, if I use credentials generated by Cognito for a logged in user I am unable to do so. My Cognito authorised role in IAM has a policy of "AWSIoTFullAccess" attached to it so I am confused as to why these credentials return a 403 error each time.
Any help with regard to this would be greatly appreciated.
Encountered similar problem when dealing with Federated identity. Some tips to resolve the problem:
Please use the cloudwatch logs to figure out the problems it was very handy.
Also look at the cloudwatch logs with topic name ending with _CognitoIdentityCredentials
Using the appropriate session tokens
Use AWS CLI and execute attach-principal-policy to try out manually.
Please refer to this link https://github.com/alfonsodev/aws-iot-example/blob/master/index.js to run locally with nodejs to troubleshoot the issue.
Please use attach principal policy. This link http://techqa.info/programming/question/40301345/connect-to-AWS-IoT-using-web-socket-with-Cognito-authenticated-users was very helpful for integration
Hope this helps!
Check your AWS IoT policies. You'll also need an AWS IoT policy for your Cognito identity in addition to the policy you've attached to the IAM Role. See the docs here:
https://docs.aws.amazon.com/iot/latest/developerguide/authorization.html