I want deny "sqs:CreateQueue" permission to Administrator user in AWS. is that possible ?.
The user is having the below admin permission
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "",
"Resource": ""
}
]
}
The recommended way to restrict a user from being able to perform a particular action is to use a permission boundary.
Add a permission boundary for the user with the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "iam:DeleteUserPermissionsBoundary",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "sqs:CreateQueue",
"Resource": "*"
}
]
}
this will prevent the user from being able to create an SQS queue and from being able to remove the permission boundary you applied, while giving him permissions to perform all other actions.
Related
I have a user pool and an Identity pool, where the role i am giving the authenticating users in the identity pool has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket123",
"arn:aws:s3:::testbucket456",
"arn:aws:s3:::testbucket987"
]
}
]
}
I have created a new role called Role_testbucket456_User_X using Web Identity and added a condition where cognito-identity.amazonaws.com:sub is stringEquals to 8e23d688-1f28-445c-8966-fdcb967c8e3c, and attach to it the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
Then I have added the Cognito user Y that has the sub 8e23d688-1f28-445c-8966-fdcb967c8e3c to a Cognito User Pool Group called testbucket456_Users
And then attached the role Role_testbucket456_User_X to this group testbucket456_Users
What I am expecting is that none of the Cognito users will have Read/Write access on any S3 bucket, except the user Y that has sub 8e23d688-1f28-445c-8966-fdcb967c8e3c to be able to access Read/Write on testbucket456 bucket. But that didn't work unfortunately.
So I have added the following Bucket Policy to the testbucket456 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
But that still didn't work, I am still getting Access Denied issue whenever I try to call this method:
const listObjectParams = {
Bucket: 'testbucket456',
};
s3.listObjects(listObjectParams, (err: any, data: any) => {
if (err) {
console.log(err);
return;
}
console.log(data);
console.log(`Successfully listed objects in `);
});
Note
When I set the testbucket456 bucket's policy to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
I am then able to access(list objects) the bucket using the Cognito users, I think the issue is with the bucket's policy itself and in the Principal field specifically.
Possible issues
Maybe the authenticated role must have permissions to assume the custom role
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
to be like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket456"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
]
}
Can anybody confirm please?
This answer was the solution, I had to change the default role given to the Cognito Users
I have created a user and grant three permissions to it.
IAMFullAccess, AmazonSageMakerFullAccess and AmazonS3FullAccess
Now when i try to setup sagemaker domain, it throw following exceptions
ValidationException
Access denied in getting/accepting the portfolio shared by SageMaker. Please call withservicecatalog:AcceptPortfolioShare & servicecatalog:ListAcceptedPortfolioShares permission.
AccessDeniedException
User: arn:aws:iam::117609614511:user/tac-sagemaker is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-east-1:117609614511:domain/d-bpq1nh2g5t9l because no identity-based policy allows the sagemaker:CreateDomain action
First, I did not understand, though i granted full sagmaker access, why its not picking createDomain policy,
Second, i go to my role and manually added these policies.
Here are policies for my sagemaker role
AmazonSageMaker-ExecutionPolicy-20220813T004513
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker/*"
]
}
]
}
SagemakerCreateDomain
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:*:117609614511:domain/*"
}
]
}
sagemakerportfolioservices
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "servicecatalog:AcceptPortfolioShare",
"Resource": "arn:aws:catalog:*:117609614511:portfolio/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "servicecatalog:ListAcceptedPortfolioShares",
"Resource": "*"
}
]
}
But still it giving me same error
Edit
I added two new policy to my user
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
AWSServiceCatalogAdminFullAccess
Now ValidationException is gone, but still having AccessDeniedException
EDIT2:
I have attached a new custom policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"sagemaker:CreateDomain"
],
"Resource": "*"
}
]
}
But still the error is same
I would recommend using the CloudFormation template in this blog to help create the Domain and User Profile.
https://aws.amazon.com/blogs/machine-learning/automate-a-centralized-deployment-of-amazon-sagemaker-studio-with-aws-service-catalog/
I want to have an IAM user that has the ability to create an IAM Organization and nothing more.
To achieve this, I need to create a policy that is using SLR.
I am attaching the policy to the group that my IAM belongs to.
If I use the general SLR permission policy I can create an Organization with any user.
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/*"
}
When I specify the exact user resource that I want to have those permissions I can't do it anymore.
this is the template provided in the aws docs
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/SERVICE-NAME.amazonaws.com/SERVICE-LINKED-ROLE-NAME-PREFIX*",
"Condition": {"StringLike": {"iam:AWSServiceName": "SERVICE-NAME.amazonaws.com"}}
},
this is mine
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::000056397000:user/root_name:role/aws-service-role/organizations.amazonaws.com/*"
}
the error I get is:
An error occurred (AccessDeniedForDependencyException) when calling the CreateOrganization operation: The
request failed because your credentials do not have permission to create the service-linked role required
by AWS Organizations.
What am I missing?
I found a work around.
Not ideal, maybe someone has a better idea.
Group with 2 policies
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "organizations.amazonaws.com"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "organizations:CreateOrganization",
"Resource": "*"
}
]
}
I am using inline policy for grant access to s3 bucket for IAM user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::newput-test"
]
}
]
}
but on extended s3 browser when I use the access key id and secret access key of particular IAM user is not listing my bucket.but when I pass * in resources It works fine
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
]
}
but the problem is its giving access to all the s3 bucket to IAM user.
but I want to give access only single bucket anybody have an idea how to achieve this.
Try something like this
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mys3bucket",
"arn:aws:s3:::mys3bucket/*"
]
}
]
}
Its been explained here.
http://www.fizerkhan.com/blog/posts/Restrict-user-access-to-Single-S3-Bucket-using-Amazon-IAM.html
I'd like to send our new users their IAM username and temporary credentials and then require them to change their password AND require them to configure their own virtual MFA before they get access to anything else in the console.
1) When creating the user I can obviously generate a temporary password and require them to change it on first login. Security Credentials-->Manage Password-->'Require user to create a new password at next sign-in'.
2) The following policy will permit IAM users to change their own passwords:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
}
}
3) The following policy allows users to manage only their own virtual mfa devices:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
]
},
{
"Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Sid": "AllowUsersToListMFADevicesandUsersForConsole",
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
Using the three methods above I can require them to change their password and allow them to configure their own virtual MFA devices, I just don't know if there is a way to require them to configure an MFA.
AWS has a documented answer for this: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
It's a single policy with several statements that:
Allows listing all users and all MFA devices.
Allows listing only your own user and their own MFA devices.
Allows managing your own MFA device.
Allow deactivating MFA if you have logged in with MFA.
Block access to everything else unless MFA was used for sign in.
I'm posting the complete solution because it is not a duplicate of Can you require MFA for AWS IAM accounts?, which is extremely helpful, but is not the complete solution to also allowing new IAM users to login to the console, change their password AND add their own virtual MFA by themselves.
1) Create a managed policy to allow users to change their own passwords:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
}
}
2) Create a managed policy to allow users to manage their own virtual mfa devices:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
]
},
{
"Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Sid": "AllowUsersToListMFADevicesandUsersForConsole",
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
3) Add the following condition to all policies where you want to require MFA:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "ReadOnlyEC2RequireMFA",
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": "false"
}
}
}]
}
4) When you create new IAM users, and assign them a password, check the box 'Require user to create a new password at next sign-in' and apply the three managed policies above (or assign the managed policies to a group and add the user to the group).
Now distribute the username and temporary password to the new IAM user. When they login it will prompt them to change their password, then they will only be able to go into IAM, select their own user account and add their own MFA device. They will need to log off and log back in using MFA to get the ec2:Describe* permissions.