Kind of a newbie still with AWS IAM. Is there a way to find all of the available Roles in a given account that have a specific Policy attached? i.e. if you only know the Policy, and you don't know the roles it's attached to, how do you find all of the roles that a given policy is attached?
If you're using API/CLI, you can make use of the ListEntitiesForPolicy call. A CLI command that you could run would be:
$ aws iam list-entities-for-policy --policy-arn <arn_of_policy> --entity-filter Role
Go to Identity and Access Management (IAM) -> Policies -> Choose a spesific policy. The info you are looking for is under Policy usage tab.
Related
I followed the instructions here to set up and remove a python lambda function (and associated AWS resources).
When I try to clean up the function, role-policy and role, the instructions failed because the CLI does not manage to find the attached role policies. In particular, if I run:
aws iam list-role-policies --role-name myrolename
... I get an output of:
{
"PolicyNames": []
}
But when I look up the same role in the AWS console, I can see the policy is there.
So what is going on here? Is this an AWS bug (CLI version aws-cli/2.1.33 Python/3.9.2 Darwin/20.4.0 source/x86_64), or am I muddled up here somehow?
As i can see from the image, its a managed policy and unfortunately list-role-policies only Lists the names of the inline policies that are embedded in the specified IAM role.
Doc says
An IAM role can also have managed policies attached to it. To list the managed policies that are attached to a role, use ListAttachedRolePolicies
use this for example
aws iam list-attached-role-policies --role-name SecurityAuditRole
I am using metricbeat to monitor metrics from a few AWS accounts. I have read through the doc: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-aws.html
it says to configure the credential as environment variables or in aws credential file. But I'd like to use cross account IAM policy to access different AWS account. That means metricbeat needs to assume a role when it tries to query metrics. How can I achieve this in metrcibeat? I can't find related doc in their document.
So you can specify the IAM Role like this
Metricbeat Configuration Params
metricbeat.modules:
- module: aws
period: 300s
metricsets:
- ec2
role_arn: arn:aws:iam::123456789012:role/test-mb
I would say there is nothing like Cross Account Policy.
Your role has permissions based on the policies you assign to it via IAM Policies.
When you wanna use Cross-Account IAM Roles, you still have to assign IAM Policies on the role you create in the destination account + an IAM Trust Policy as well so that you can assume the role from another account, In addition to that your source IAM Role must have permissions to assume the destination IAM Role
IAM Role Delegation
How to use trust policies with IAM roles
IAM Tutorial: Delegate access across AWS accounts using IAM roles
Suppose, I am AWS IAM user, is there any way so that I can check what resource permission has been given to me, using CLI or Console.
Unfortunately, there is no comprehensive tool for that. In IAM console you can only check your user's IAM profile or group permission you belong to.
But full set of privileges is a very complex thing to get. Apart from obvious IAM user or group permissions you can have:
IAM roles which you can assume,
resource policies which you are listed as a principle (e.g. bucket policy, kms key policy),
resource policies where a role you can assume is a principle,
cross-account permissions in IAM roles or resource policies,
AWS Organization level SCP permissions.
If the reason for asking this question is related to security, e.g., to check what resources were accessed by a compromised IAM user credentials, you suspend the credentials or delete the user. Also can inspect the CloudTrial history to check what resources a given IAM user accessed.
is there a way to find out what all resources are using an IAM role. Because I want to modify that and wanted to check what all could affect my modification.
Not quite.
Services can "assume" a role. This happens when the activity is run (eg when an AWS Lambda function is invoked, or when an Amazon EC2 instance is launched). Thus, there is no permanent 'link' between roles and services. Therefore, it is not possible to say "list me everything that is using this IAM Role".
However, you could list services and see which roles they are configured to use. For example, you could describe EC2 instances and check what IAM Role they are configured to use. However, you would need to do this for all services that you know are potentially using the roles.
You can find where an IAM role is used from based on the past usage.
I can think of few ways.
method 1 - Access Advisor
click the "Access Advisor" tab section that appears when you click an IAM role
check last accessed time of each services
method 2 - Cloudtrail
the cli command will tell you which services/user assumed the role and also the action they performed.
aws cloudtrail lookup-events --max-results 20 --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:iam::012345678901:role/lambdaRole --output json --query "Events[*].[CloudTrailEvent]"
What difference between policies under the paths "aws:policy/service-role" and "aws:policy/aws-service-role"?
Is there any the logic behind this design?
The AWS managed policies within the aws-service-role path are policies that be attached to a service-linked role only.
If you go to AWS Console -> IAM -> Policies, filter by AWS Managed Polices and start clicking on them, you'll notice the ones with the aws-servive-role path have a help label at the top that reads "This policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy.". There might be a way to filter down to the service-linked policies in the AWS Console or CLI when desribing policies other than inspecting the paths, but it alludes me right now.
You can see their usage described here
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html.
Here also is the blog post that describes what a service-linked role is https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/. Basically these are roles that can only be assumed by a specific service type.
The AWS managed policies in the service-role path are policies that can be attached to any role including "normal/basic" roles. These types of roles can be assumed by users, EC2 instances, or anywhere else roles are assumed.
For example you could give someone permission to attach a linked-service role that has the policy arn:aws:iam::aws:policy/aws-service-role/AWSLambdaReplicator attached which is only attachable to a linked-role linked to the Lambda service. They would be able to use this role in the Lambda execution role, but they would not be able to use this role with another service like EC2 or an IAM user. This supports an admin allowing users to assign out permissions to new resources that users spins up (a new Lambda) that that the admin trusts the linked AWS service to use, but don't want to allow that user to access directly through their user account or give them to other custom applications running in AWS.