Accessing AWS resources (aws xray) from GCP or Azure - amazon-web-services

We would like to access the aws xray which is deployed in multiple regions like Europe, US-east and US-west.
I would like to access these using access key id and secret access key id and maybe session token as well.
I want to know is it necessary to specify the region while accessing the aws xray resources of these regions.
What if I don't specify the region and just specify the keys to access the AWS resource (aws xray); will we be able to access those?
Customer-centric exact issue:
We have to talk to a customer, he is going to say that he has deployed AWS xray in three regions.
We usually access the Customer's resource and get data and do some processing.
So What details we should say to the customer that we would need from him ?
Thanks in advance.

You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
In case you need to provide access to an externally authenticated users (identity federation): https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html

AWS X-Ray traces are stored in specific regions as configured on X-Ray Daemon or the AWS managed services. If you want to use X-Ray APIs to send or fetch traces, you'll have to provide the region as well.
Are there any specific X-Ray APIs/Resources you're looking to use?

Related

AWS IAM Roles : How to identify specific permission for each AWS service

We have started initially by defining roles with admin access policy attached. But now we want them to have policy with only specific permissions that are minimum and does not create any issues for using these roles.
Looking at "Access Advisor" tab on each role under AWS IAM console, it gives good amount of information that exactly which AWS services getting used and permission level information only for EC2, IAM, Lambda, and S3 management actions services. But for rest of other AWS services, missing that what specific permission for that particular service is required.
Also not having AWS Organizations master account access as mentioned in this tutorial: Viewing last accessed information for Organizations.
So is there a way I can get the permissions level info for services other than EC2, IAM, Lambda, and S3 management actions?
Thanks.
So is there a way I can get the permissions level info for services other than EC2, IAM, Lambda, and S3 management actions?
Sadly, there is no such way provided by AWS. So basically its try-and-see approach to get what you want. You can try some third party tools, which may be helpful, such as zero-iam, but ultimately, you will need custom solution to match your requirements.
There is also IAM Access Analyzer which is different then Access Advisor. But its also limited to some services only.

Can AWS Lambda do Cross Account Activity?

Can we use AWS Lambda for cross account activity. For example, I want to store a Parameter in SSM Parameter store in multiple AWS Accounts. Imagine I have a Master AWS Account which has access to all other AWS Accounts. Now can I write a python script for storing the parameter and make use of AWS LAMBDA to perform this.
Yes Definitely. AWS services are by default explicitly denied access from anywhere. Thats where AWS IAM (Identity & Access Management) came into the picture.
Delegate Access Across AWS Accounts Using IAM Roles
Let say you have a master account that has a services needed by multiple accounts. The first thing you will do is provision the resource from that master account and then by doing so you are applying right policies that will give an access to the other accounts.
Lastly, some other services are protected by layers of protection such as NACL's for network layer protection and Security Groups for application layer protection. For this services that are protected by layers mentioned, you simply just need to check if these layers accepts and send traffic from the application ports that you're are using.
e.g. EC2 Security Group - Ingress Rule: 80, 443 0.0.0./0
Imagine I have a Master AWS Account which has access to all other AWS Accounts.
This is usually setup by AWS Organizations. It helps with management and governance of all your accounts in a unified way.
System manager, which include Parameter store has special provisions for working with AWS Organizations:
You can synchronize operations data across all AWS accounts in your organization by using Organizations and Systems Manager Explorer.
The generall cross-account concepts have been addressed by other answer.

How to put an app on the AWS Marketplace that requires S3 resources

I have an application on an EC2 Instance that I wish to put on the AWS Marketplace. The application uses AmazonS3 and on startup requires users to enter an Access Key, Secret Key, and a BucketName. It then uses the Accekey, and secretkey to create a bucket (specified by BucketName). However, this isn't allowed on the AWS Marketplace.
However, for AWS Marketplace,we require application authors to use AWS
Identity and Access Management (IAM) roles and do not permit the use
of access or secret keys.
Question
I am confused as to how to get around this and still put my AMI on the AWS Marketplace. My goal is for users to create their own S3 buckets in their own AWS Environments.
Your customers can create AWS IAM roles with access to the required resources (S3 buckets), and allow your account to use those roles.
The reasoning behind this mechanism is that your customers can follow the principle of least privilege and limit access to very specific resources and actions on those resources (instead of providing unsecured / root access to their entire account)

How to transfer credentials to EC2 instances (non AWS creds)

I have a scaling group of several EC2 instances.
I have API keys which I would like to distribute to the instances using round-robin.
How can I code the instances to get the credentials once they go live?
Is there an AWS service for that?
It is not AWS credentials which could be solved by defining IAM Roles.
Thanks
Use "user data" option when you start your EC2 instance, You can run the bash script.
I recommend the following step.
1-put your cred or other shared information to S3 or dynamoDB.
2-write script to read and setting this data when your EC2 was starting.
The closest thing AWS has to this is called IAM Roles. A role includes a set of IAM permissions (like an IAM user). When you start a VM, you can set the role of the VM. The VM can then call the AWS API and get temporary credentials that give it access to the services that are defined in the IAM role.
See here for more details:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
This does not exactly meet your requirement for round-robin credentials distribution. But it might be a better option. IAM roles are as secure a method of distributing credentials to EC2 instances as you can get.
AWS now provides two services that could be used for that purpose:
The Secrets Manager would seem to be the most fitting, but does cost money from the start.
The Parameter Store is also an option and is free for up to 10k parameters.

How do we provide our AWS app with access to customers' resources without requiring their secret key?

I am in the early stages of writing an AWS app for our users that will run our research algorithms using their AWS resources. For example, our code will need to spin up EC2 instances running our 'worker' app, access RDS databases, and create access SQS queues. The AWS Java SDK examples (we are writing this in Java) use a AwsCredentials.properties file to store the Access Key ID and Secret Access Key, which is fine for examples, but obviously not acceptable for our users, who are would be in essence giving us access to all their resources. What is a clean way to go about running our system on their behalf? I discovered AWS Identity and Access Management (IAM) which seems to be for this purpose (I haven't got my head around it yet), esp. Cross-account access between AWS accounts. This post makes it sound straightforward:
Use the amazon IAM service to create a set of keys that only has
permission to perform the tasks that you require for your script.
http://aws.amazon.com/iam/
However, other posts (e.g., Within IAM, can I restrict a group of users to access/launch/terminate only certain EC2 AMIs or instances?) suggest there are limitations to using IAM with EC2 in particular.
Any advice would be really helpful!
The key limitation with regards to RDS and EC2 is that while you can restrict access to certain API actions there are no resource level constraints. For example with an IAM S3 policy you can restrict a user to only being able to perform certain actions on certain buckets. You can write a policy for EC2 that says that user is allowed to stop instances, but not one that says you can only stop certain instances.
Another option is for them to provide you with temporary credentials via the Security Token Service. Another variant on that is to use the new IAM roles service. With this an instance has a set of policies associated with it. You don't need to provide an AwsCredentials.proprties file because the SDK can fetch credentials from the metadata service.
Finally one last option might be consolidated billing. If the reason you are using their AWS resources is just because of the billing, then setup a new account which is billed from their account. The accounts are isolated from each other so you can't for example delete their instances by accident. Equally you can't access their RDS snapshots and things like that (access to an RDS instance via mysql (as opposed to the AWS api) would depend on the instance's security group). You can of course combine this with the previous options - they could provide you with credentials that only allow you to perform certain actions within that isolated account.