I am trying to figure out an AWS Policy that will make it so MFA is enforced for Console users but not for CLI users, anyone have any ideas for this?
No matter what I do I can't seem to exclude CLI users.
This is what I have been using.
I have tried changing lines 102-104 as a reverse version but when I do that I lose all access to AWS except through CLI..
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
The AWS Management Console makes API calls on behalf of users. Therefore, the same policy would apply to API calls as console calls.
Therefore, if you want a different set of rules to apply within the AWS Management Console, you would need to create a separate IAM User that has:
A password for login to the console
Does not have an Access Key & Secret Key (so they can't use the CLI)
Requires Multi-Factor Authentication
Related
I am trying to set up a simple AWS SFTP server with a scoped-down policy but keep getting permission denied errors when trying to put and get.
Here is IAM Role with generic S3 bucket access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::SOME-EXAMPLE-BUKCET"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET/*"
}
]
}
And this is the scoped-down policy which I attach to the user when I create it in the SFTP panel:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::${transfer:HomeBucket}",
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:UserName}/*",
"${transfer:UserName}"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::${transfer:HomeDirectory}/*",
"arn:aws:s3:::${transfer:HomeDirectory}*"
]
}
]
}
The goal is for a user to log in and land in their home directory with read/write/delete permissions for just that directory. I've tried various policies from the following links but never quite get what I need:
Connecting to AWS Transfer for SFTP
https://docs.aws.amazon.com/transfer/latest/userguide/users.html
https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html
I always either get no access at all and everything is denied (i.e. can't even ls). Or I can ls but can't do anything else like mkdir, put, get, etc...
In the scoped-down policy, why do you use transfer:UserName in the ListBucket condition rather than transfer:HomeDirectory like in the Put/Get/DeleteObject statement? Is the HomeDirectory of the user the same as its username?
What happens when you try something like this?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::${transfer:HomeBucket}",
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeDirectory}/*",
"${transfer:HomeDirectory}"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::${transfer:HomeDirectory}/*",
"arn:aws:s3:::${transfer:HomeDirectory}*"
]
}
]
}
Do not use ${transfer:Username} in the scoped down policy. Also, make sure you specify it as Policy key within secrets manager.
I have documented the full setup here in case you need to reference it - https://coderise.io/sftp-on-aws-with-username-and-password/
I'm trying to restrict access to an S3 bucket to a single EC2 role. I've attached the following bucket policy to the bucket, and the bucket has public access turned off. However when the policy is applied, I can still get to the bucket using curl from an instance without the role attached. Can anyone let me know what I'm missing?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname",
"Condition": {
"StringLike": {
"aws:userid": [
"AROQQQCCCZZDDVVQQHHCC:*",
"123456789012"
]
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:userid": [
"AROQQQCCCZZDDVVQQHHCC:*",
"123456789012"
]
}
}
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
],
"Condition": {
"StringNotLike": {
"aws:userid": [
"AROQQQCCCZZDDVVQQHHCC:*",
"123456789012"
]
}
}
}
]
}
I believe the following S3 policy should do the job. Remember to replace role arn with the correct one which I assume it attached to your EC2 instance. Also, make sure your ec2 role has correct policy to perform list,get,put,delete actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExplicitDenyAllActions",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
},
{
"Sid": "AllowListForIAMRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": "AllowDeleteGetPutForIAMRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": [
"s3:Delete*",
"s3:Get*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
},
{
"Sid": "AllowAllActionForUser",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:user/USERNAME"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
}
]
}
Useful docs where you can find more info -> AWS docs on s3 policies
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1506369084151",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::account_#:user/user_name"
}
]
}
I have this above policy which should enable users to set-up MFA by themselves.
However, when I test this policy (by logging in as one of the users, I am not able to perform the desired action)
What am I missing in the policy snippet?
PS: The policy is attached to the user I try to log-in as. So this silly mistake is ruled out.
This works for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEnableResyncDeleteListMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "AllowDeactivateMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
I am trying to setup and assign a policy so that a user can only trigger AWS Systems Manager Services (SSM) Run Commands on only authorized or assigned EC2 instances to them.
To do this, I am following instructions from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html and as per it, I created below custom policy with provisioning access for only 1 EC2 instance:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::test-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1:123456789012:document/AWS-RunPowerShellScript"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
After I assigned above policy to a test user and when I log in using it and navigate to "Run Command", under Target Instances I see other EC2 instances as well and I am even able to execute commands to them as well. Shouldn't the user only see the 1 instance that is specified in above policy?
I do not understand what am I doing wrong here and how to fix it? Appreciate your help.
Thanks!
I have below IAM policy assigned to all my EC2 system instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::amazon-ssm-packages-*"
}
]
}
Also, I have below IAM policy assigned to test user to so that they can Start/Stop/Restart EC2 instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
}
]
}
I was able to make this work by adjusting policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::nsight-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
]
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
My requirement was to only allow execution of PowerShell scripts so the line:
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
You can replace AWS-RunPowerShellScript with * to allow all commands.
Also, the EC2 Role assignment was necessary since without it I couldn't see any instances under Run Command.
Please also know that the user would see all instances under Run Command but will only be able to execute commands for the EC2 instances for which the policies are assigned to, user account. I do not think there is any option to suppress this.
Thanks for your contribution and helpful tips.
I'm trying to use a Lambda function to trigger an Elastic Transcoder job, but I keep getting this error message:
AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/xxxx/xxx is not authorized to perform: elastictranscoder:CreateJob on resource: arn:aws:elastictranscoder:xxxxx:pipeline/xxxxx
My IAM user policy covers all access requirements:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1465486106000",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:Put*",
"s3:ListBucket",
"s3:*MultipartUpload*",
"s3:Get*"
],
"Resource": "*"
},
{
"Sid": "2",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*"
},
{
"Sid": "3",
"Effect": "Deny",
"Action": [
"s3:*Delete*",
"s3:*Policy*",
"sns:*Remove*",
"sns:*Delete*",
"sns:*Permission*"
],
"Resource": "*"
}
]
}
Why am I getting the AccessDeniedException and how can I fix it?
Change your policy to below and then try it will work
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1465486106000",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"elastictranscoder:*",
"s3:Put*",
"s3:ListBucket",
"s3:*MultipartUpload*",
"s3:Get*"
],
"Resource": "*"
},
{
"Sid": "2",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*"
},
{
"Sid": "3",
"Effect": "Deny",
"Action": [
"s3:*Delete*",
"s3:*Policy*",
"sns:*Remove*",
"sns:*Delete*",
"sns:*Permission*"
],
"Resource": "*"
}
]
}
You dont need to change json by editing.
First of all detect which role you want to edit ?
1-) Click Permisson http://prntscr.com/j1giww
2-) see the role name http://prntscr.com/j1gj6s
3-) go to IAM Roles
4-) select the roles that you see at step 2
5-) edit policy and add Transcoder Full Access ( Or selected access )