We have an AWS account with an IAM group, this group contains practically 6 users and most operations in the account are done by this 6 users.
There are 12 Lambda Functions that have been created in the account and there is a particular lambda function (created by one of the 6 users) that I am trying to know who created it (The Lambda function owner).
Please is there a way to do this ?
Resources created in AWS Accounts are associated with the Account, not the IAM User that created the account.
When a user requests AWS to create resources, IAM verifies that the user has permission to create resources. If so, then the resources are created in the Account, but no relationship with the user is kept on that resource.
You can, however, use AWS CloudTrail to view information about the API request that created the resource.
From What Is AWS CloudTrail? - AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
Related
I'm the administrator of an AWS account that has 4 users. One of the users is racking up higher-than-expected costs.
I checked the Cost Explorer, but could not seem to configure it to view individual users.
As an administrator in AWS, how do I see all of the services this particular user has been using during a given period of time (e.g. the last 12 months)?
Thanks!
AWS resources are associated with an AWS Account, not a specific user.
If a user has the necessary permissions to create resources (eg an Amazon EC2 instance), then the instance is launched in the AWS Account, but there is no link back to the user that requested the resource.
You can, however, use AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
It will show all API calls made by the user, including the Action ('launch an EC2 instance'), their IP address, timestamp, etc. Operations in the AWS management console will also be shown, since it makes API calls on behalf of the user.
CloudTrail keeps a history of the past 90 days, but you can create specific 'Trails' that retain data permanently. If you have not done this, then it will not be possible to see what they did prior to 90 days ago.
I want to implement Security in AWS Cloud using IAM like below:
1. Restricting Region(Possible)
2. Restricting Particular Service(EC2/RDS/VPC)(Possible)
3. Restricting IAM user(Disabled other IAM user resources)(Not Sure)
4. Deleting IAM user should delete AWS Resources created by this user.(Not Sure)
I came across Cloud Training site called Qwiklabs where they restrict exactly what I need.
I already tried and done first two restrictions(Region and Services).
Now I'm not sure for remaining 3rd and 4th.
Can anyone suggest me how to implement this scenario?
Ad 3. - Can You elaborate?
In Qwiklabs Your labs are created on separate AWS account - no other users are there.
Ad. 4 - You will have to force all users to use CloudFormation do provision resources or develop a process (Lambda/Step function) triggered by delete user action
4.Deleting IAM user should delete AWS Resources created by the user - You can use AWS Cloudtrail/AWS Lambda for that.
AWS Lambda:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
You can create a Lambda function which triggers as soon as the user logs in. The first Lambda function should create another Lambda Function with the scheduled events associated.
The second Lambda Function contains the specific user's information, instructions for deleting the resources created by the specific user and the instructions to delete the scheduled event.
With AWS CloudTrail:
By using the below sample command you can get the list of actions performed by the user.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=username,AttributeValue=user#example.com
Once you have that you can delete them.
I want to call api gateway from our own backend which is a ECS cluster, and I want to use IAM authorization, is there any way to not manually sign the request using Access Key and Secret Key?
For example when Lambda call KMS to decrypt environment variables, no need to configure the AWS SDK. Wondering if there's similar thing for API gateway.
It is definitely possible, even more - it's a security best practice. You can assign IAM roles to all computing services of AWS: Lambda, EC2, ECS, Beanstalk etc. On ECS you can assign IAM roles to your tasks.
It gives a great benefit, which is well described in official docs:
Benefits of Using IAM Roles for Tasks
Credential Isolation: A container can only retrieve credentials for the IAM role that is defined in the task definition to which it belongs; a container never has access to credentials that are intended for another container that belongs to another task.
Authorization: Unauthorized containers cannot access IAM role credentials defined for other tasks.
Auditability: Access and event logging is available through CloudTrail to ensure retrospective auditing. Task credentials have a context of taskArn that is attached to the session, so CloudTrail logs show which task is using which role.
This link will help you: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
I am new to aws and I want to integrate IAM in my aws account.
I have gone through this link:
https://www.youtube.com/watch?v=KQheV84Ae40&list=PL_OdF9Z6GmVZCwyfd8n6_50jcE_Xlz1je&index=3
but not getting the proper idea.
Is there any example for that?
You can use IAM to create Users in your AWS Account.
You can then associate policies with those users, which grant them permission to use particular AWS services, such as Amazon S3. IAM is automatically integrated with every AWS service.
See: Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket | AWS Security Blog
IAM service in AWS is used for user management, that helps you securely control access to AWS resources. In IAM you can create users and you can assign roles to the users based on your needs. you can create custom policies also, AWS provides many custom policies by default once go through Its mostly self-explanatory.
How do I find out what IAM user created certain metrics and alarms?
I tried CLI commands: describe-alarms and list-metrics and they don't seem to provide this information nor when looking at the configuration for the alarms and metrics in the AWS console.
While users call APIs to create resources in AWS, those resources are associated with the AWS Account rather than a user. As long as a user has permission to create resources in the account, the resources will be created/viewed/deleted.
However, you can use AWS CloudTrail to retrieve information about the API calls themselves:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.