I am setting up AWS Managed Active Directory and want to set up an EC2 instance (Windows Server 2019 R2) for managing the AD remotely and an AWS Workspace client with a user to log in. But unfortunately despite the appropriate permission, the Ec2 instance does not join the domain automatically.
According to the AWS article: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html
Here are the roles assigned:
AmazonSSMManagedInstanceCore
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
And the other policy as:
AmazonSSMDirectoryServiceAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
}
]
}
With the two policies in place I launched an Instance with AMI ID: ami-041306c411c38a789
After a successful launch I use the set command to review the Domain join but unfortunately I have to do the same manually. Can someone advise why it is so?
You can review the Command page here
Just making sure that the Domain and the Instance are in the same VPC. I am able to check in with the DNS addresses of the domain the instance is recognizing.
Related
I want to use AMI which is located in another account to create spot instance with Terraform. AMI is shared with my account but EBS inside of it is created with custom KMS.
When I tried to use the AMI, it gave an error like below.
Instance launch failed because an EBS volume cannot be encrypted. If your launch specification includes an encrypted EBS volume, you must grant the AWSServiceRoleForEC2Spot service-linked role access to any custom KMS keys.
I gave access to AWSServiceRoleForEC2Spot in KMS policy and even for AWSServiceRoleForEC2SpotFleet but it still gives bad-parameter error when I try to create instance and when describe spot instance request, the error is same. What am I doing wrong?
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-1",
"Statement": [
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xx:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet",
"arn:aws:iam::xx:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xx:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet",
"arn:aws:iam::xx:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
I am trying to create an IAM user that will have least privileges to be able to view enhanced monitoring for a particular RDS database. I have created a ROLE (Enhanced Monitoring) and attached a managed policy to it:'AmazonRDSEnhancedMonitoringRole'. This role is passed to RDS database using the passrole permission. The policy that I am attaching to this IAM user is as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"rds:*",
"cloudwatch:GetMetricData",
"iam:ListRoles",
"cloudwatch:GetMetricStatistics",
"cloudwatch:DeleteAnomalyDetector",
"cloudwatch:ListMetrics",
"cloudwatch:DescribeAnomalyDetectors",
"cloudwatch:ListMetricStreams",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:ListDashboards",
"ec2:*",
"cloudwatch:PutAnomalyDetector",
"cloudwatch:GetMetricWidgetImage"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"cloudwatch:*"
],
"Resource": [
"arn:aws:cloudwatch:*:accountnumber:insight-rule/*",
"arn:aws:iam::accountnumber:role/Enhanced-Monitoring",
"arn:aws:rds:us-east-1:accountnumber:db:dbidentifier"
]
}
]
}
As you can see,I have given almost every permission to this user, but still I am getting 'Not Authorized' error on the IAM user RDS dashboard for enhanced monitoring, although cloudwatch logs are displaying normally.
I managed to solve the error by modifying the policy. Since Enhanced Monitoring utilizes CloudWatch logs, I added a read-only cloudwatch logs policy(CloudWatchLogsReadOnlyAccess). This policy is mentioned here in AWS documentation. I also added a cloudwatch:GetMetricData permission as suggested on the RDS console. The overall policy is also more compact now:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::account_number:role/Enhanced-Monitoring"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"rds:*",
"logs:Describe*",
"logs:List*",
"logs:StartQuery",
"ec2:*",
"iam:ListRoles",
"logs:StopQuery",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"logs:Get*",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
The setup is working fine now.
I am trying to setup a policy for a User group in IAM so that they can insert/delete/update policies in a Security Group.
I currently have it working if I leave the resource as the default any statements:
"arn:aws:ec2:*:*:security-group-rule/*",
"arn:aws:ec2:*:*:security-group/*"
When I go to try and change any of the asterisks the rule will then fail. I have tried adding in the us-east-2, my AWS Account ID and the actual sg-########## of the security group. All fail.
Any ideas why?
My current JSON policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeNetworkAcls",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
],
"Resource": [
"arn:aws:ec2:*:*:security-group-rule/*",
"arn:aws:ec2:*:*:security-group/*"
]
}
]
}
I am having the requirement of creating the policy that will have access to the custom created ssm document only can run in the specified EC2 instance.
I have tried policy something like this but it is not sufficient to control the document to be run on the instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2messages:DeleteMessage",
"ec2messages:GetEndpoint",
"ec2messages:FailMessage",
"ec2messages:AcknowledgeMessage",
"ec2messages:SendReply",
"ec2messages:GetMessages"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:UpdateInstanceInformation",
"ssm:UpdateAssociationStatus",
"ssm:ListInstanceAssociations",
"ssm:ListAssociations",
"ssm:UpdateInstanceAssociationStatus"
],
"Resource": [
"arn:aws:ssm:us-east-1:xxxxxxxxxx:document/xxxxxxxxxx",
"arn:aws:ec2:us-east-1:xxxxxxxxxx:instance/*"
]
}
]
}
Is this doable ?
Help is much appreciated. Thanks
I have made a RDS instance and want to grant one of my user to access to that RDS instance. I'm wondering how I can give this permission.
I have granted RDSFULLACESS in attach policy of my IAM user then simulate it like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"sns:ListSubscriptions",
"sns:ListTopics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:eu-west-1:accountIDofIAMUser:db:instancename"
}
]
}
But my user still can not access to this RDS instance,what's the problem? he can make it himself but I don't want he makes another one!
Any help would be appreciated.
Please find below policy for single user single rds start-stop access.
Create below policy and give rds arn in the resource section.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:ListTagsForResource",
"rds:DescribeDBSnapshots",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBParameters",
"rds:DescribeDBParameterGroups",
"rds:StopDBInstance",
"rds:StartDBInstance"
],
"Resource": [
"arn:aws:rds:us-east-1:accountnumber:db:dbidentifier"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
Attach this policy to user whome you want to grant access.
If the policy above has the correct ARN for the database and is attached to the IAM user then it will allow full management actions on the RDS database, things like stopping the database or restoring a backup.
To explictly exclude the "Create" permissions, based on the list on this page
http://docs.aws.amazon.com/IAM/latest/UserGuide/list_rds.html
include all the permissions you do need, for example. In this context "Deny" always beats "Allow". "Create" permissions are ok vs. the already existing database but don't apply elsewhere.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"sns:ListSubscriptions",
"sns:ListTopics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:eu-west-1:accountIDofIAMUser:db:instancename"
},
{
"Effect": "Deny",
"Action": [
"rds:Create*"
],
"NotResource": [
"arn:aws:rds:eu-west-1:accountIDofIAMUser:db:instancename"
]
}
]
}
I haven't tested this policy, it's just an example
If the user needs access to the database as a consumer of data then this is not managed in this way. They need to have two things for this
# network access to the RDS instance via correct networking and correctly setup security groups
# user account credentials for the database
For mysql the process of initially connecting is described here http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToInstance.html