I have a user group Administrators with the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
My currently logged-in CLI user is part of this group; I've verified by running aws iam get-user and comparing the ARN with what I have in the web console.
Somehow there's a lot of CLI commands for which I get denied, e.g.
$ aws iam list-groups
An error occurred (AccessDenied) when calling the ListGroups operation: User: arn:aws:iam::675072143536:user/carl is not authorized to perform: iam:ListGroups on resource: arn:aws:iam::675072143536:group/ with an explicit deny
How can I perform this command?
You either have an attached policy, SCP or Permission Boundary in place that explicitly denies that operation. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html .
You may be able to inspect the policy, boundary or SCP in the IAM console or need to ask someone with more permissions / control over your account for more details as to why they are there and how to possibly get permission to go around them. Right now you are not allowed to perform that command.
I was being denied by our MFA policy:
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
Related
I am trying to configure a trust relationship for a AWS IAM role in account 111111111111 so that a user with an assumed role from account 222222222222 can assume it. However, the sts:AssumeRole action is failing because AWS says that I'm not authorised.
Here is the trust relationship that I have set. I've had to define an overly permissive principal because AWS do not allow the use of wildcards in role session principals. I am however attempting to use a condition to restrict the principal.
Note that the AWS principal explicitly matched as arn:aws:iam::222222222222:role/my_lamda_function_role is allowed to assume that role - it seems as though the only issue is with wildcards.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:sts::222222222222:assumed-role/my_admin_role_name/*",
"arn:aws:iam::222222222222:role/my_lamda_function_role"
]
}
}
}
]
}
When I try to assume the role I see the following error.
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::222222222222:assumed-role/my_admin_role_name/my_session_name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/my_role_that_admins_can_assume
How can I amend my trust relationship to get it working?
I believe that my issue is related to my use of Condition in the policy, because when I explicitly add my STS session to the Principal I can assume the role as expected.
However, I wish for all sessions that assume the role my_admin_role_name to be allowed, so this approach is not viable and that is why I'm trying to use Condition with a wildcard.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::222222222222:assumed-role/my_admin_role_name/my_session_name",
"arn:aws:iam::222222222222:role/my_lamda_function_role"
]
},
"Action": "sts:AssumeRole"
}
]
}
I have a user group Administrators with the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
My currently logged-in CLI user is part of this group; I've verified by running aws iam get-user and comparing the ARN with what I have in the web console.
Somehow there's a lot of CLI commands for which I get denied, e.g.
$ aws iam list-groups
An error occurred (AccessDenied) when calling the ListGroups operation: User: arn:aws:iam::675072143536:user/carl is not authorized to perform: iam:ListGroups on resource: arn:aws:iam::675072143536:group/ with an explicit deny
How can I perform this command?
You either have an attached policy, SCP or Permission Boundary in place that explicitly denies that operation. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html .
You may be able to inspect the policy, boundary or SCP in the IAM console or need to ask someone with more permissions / control over your account for more details as to why they are there and how to possibly get permission to go around them. Right now you are not allowed to perform that command.
I was being denied by our MFA policy:
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
I am trying to import a disk image into AWS, for EC2 instance launching. I follow the guide as stated and fulfill all the prerequisites as stated. However I am faced with an error that I've been trying (unsuccessfully) to debug. The error is as follows. An error occurred (InvalidParameter) when calling the ImportImage operation: The service role vmimport provided does not exist or does not have sufficient permissions However when I check the permissions of the vmimport role it has all necessary permissions for EC2 and S3! My aws cli user also has full privileges to EC2 and S3. I've tried many different solutions to this problem, including, 1. Making the S3 bucket public, 2. Adding an access policy so that my AWS cli user had permissions to access the bucket. Everything I have tried still returns this exact same error message... I'm thinking there might be a region problem? I'm using us-east-2 in my AWS cli user configuration, and in the S3 buckets region. Is there something else I have not considered?P.S. I'm trying to import an OVA 1 format vm image.
Here is my trust policy
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externaloid": "vmimport"
}
}
}
]
}
and my roles policy
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::MY-IMPORT-BUCKET",
"arn:aws:s3:::MY-IMPORT-BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::MY-EXPORT-BUCKET",
"arn:aws:s3:::MY-EXPORT-BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}
]
}
And finally the containers.json
[
{
"Description": "My Special OVA",
"Format": "ova",
"Url": "s3://MY-IMPORT-BUCKET/VM.ova"
}
]
UPDATE: After investigating the problem further, I found that the role vmimport last access was "Not accessed", i.e. never, meaning that the role is not even being attempted to be used! So this error is clearly saying that it does not exist (it can't find the service role). In the final command there is nothing in the command that suggests that vmimport is going to be used, neither in the containers.json . I thought this was the purpose of allowing vmie.amazonaws.com to take control. Clearly it isn't assuming the role, so I need to investigate into this and sts.
The problem is in your(my) Trust Policy.json file. If you notice the conditions for it to assume the role, is that the Externaloid must be equal to vmimport. There is an added o in the attribute that it is checking, this will always be false and so vmie can never assume the role. Remove the o from the trust policy and try again and your policy works.
I had exactly the same scenario, you need to create vmimport role as described here (AWS docs):
https://docs.aws.amazon.com/vm-import/latest/userguide/required-permissions.html
I'm trying to give a user the rights to create Roles (since I'm not providing rights to create Access Keys).
I have figured out a Policy to allow the user to create and assign Roles.
The issue I have is that right now, the user can create a role with the Policy of "AdministratorAccess" even though they are not Administrator. Is there a way to deny certain policies in the list of options?
Below is the policy done via the wizard provided.
Thanks,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:UntagRole",
"iam:PutRolePermissionsBoundary",
"iam:TagRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListPolicies",
"iam:GetRole",
"iam:ListRoles",
"iam:DeleteRole",
"iam:UpdateRoleDescription",
"iam:CreateServiceLinkedRole",
"iam:UpdateRole",
"iam:DeleteServiceLinkedRole",
"iam:GetRolePolicy"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
EDIT: 26/6/20
I tried to use Permission Boundaries as suggested, but perhaps my understanding is still insufficient. I made a new policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAdmin",
"Effect": "Deny",
"Action": [
"iam:*"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
}
}
]
}
I would think that would mean Deny any/all iam actions when it concerns the AdministratorAccess Policy. However, the result is that all role assignments/creation are denied even when the policy being attached is NOT AdministratorAccess. However, if I setup a policy and add a Condition of ArnNotEquals the AdministratorAccess - then I seem to be able to do what I want(just using it as a policy, not as a Boundary)
Based on what I have seen, Permissions Boundary is probably the right way to go, but I cannot quite get it yet so I'm hesitant to mark it as "Correct Answer".
You can use AWS IAM Permissions Boundaries: Permissions Boundaries for IAM Entities - AWS Identity and Access Management
“A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.“
Here’s a step-by-step introduction on the AWS Security Blog: Delegate permission management to developers by using IAM permissions boundaries | AWS Security Blog
So using directions from John Rotenstein and finally realizing where I went wrong the way to get what I want is to add the following Permissions Boundary to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BoundaryAllowAllNotAdminAccess",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"ArnNotEquals": {
"iam:PolicyArn": [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
}
}
]
}
Where I went wrong was thinking that I need to Deny, but the Boundary is an AND restraint so I can allow all as long as it is not AdministratorAccess, then the other policies will give the actual actions/resources and AWS will allow as long as it doesn't use the AdministratorAccess.
I templated the PowerUser policy and added MFA condition, resulting in MFA-PowerUser like the following
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
The description and intention is:
Provides full access to AWS services and resources, but does not allow management of Users and groups. MFA needed by login.
test on EC2 with policy simulator all EC2 actions are denied with the reason
implicitly denied (no matching statement)
solved by myself. Should give the environment variable MultiFactorAuthPresent into the simulator