My team has an account with full permission on SNS as long as we act on resources based on a certain prefix
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
// ...
"sns:ListTopics",
// ...
],
"Resource": "arn:aws:sns:eu-west-1:{redacted}:team-prefix-*"
},
We can do most operations just fine, at least the ones we most need, but if we try to list the topics we get a forbidden error
SNS: ListTopics, AuthorizationError: User xxx is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:eu-west-1:{redacted}:*
We are using the new go SDK v2, and we cannot find a way to query only for our topics, is there a way to list them or do we need list permissions on all the account topics?
sns:ListTopics does not have a resource filter per (https://docs.aws.amazon.com/sns/latest/api/API_ListTopics.html) its an all or nothing operation.
Except from amazon docs: if you specify a resource type in a statement with an action that does not support that resource type, then the statement doesn't allow access. link
Typically, this is what the IAM document should look like if you want to be able to list.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic"
],
"Resource": "arn:aws:sns:eu-west-1:{redacted}:team-prefix-*"
},
{
"Effect": "Allow",
"Action": [
"sns:ListTopics",
],
"Resource": "*"
},
...
If separation at the granular level is really that big of a concern, separate AWS accounts should be used.
Related
I have created policy like below. I want to allow to CreateRole with snowflake_access policy only. Every time I'm executing the lambda code I can also attach other policies to this role. I don't know why because clearly I have denied other policies and allow only one. Can someone help me with that?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateRole",
"Resource": "arn:aws:iam::*:role/snowflake-role*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::7882...:policy/snowflake_access",
"arn:aws:iam::*:role/snowflake-role*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": "iam:*",
"Resource": [
"arn:aws:iam::*:role/snowflake-role*"
]
}
]
}
If you look at actions defined by IAM, you will see a table that maps actions to, among other things, resource types and condition keys. For example:
Action
Resource Type(s)
Condition Keys
AttachRolePolicy
role*
iam:PolicyARNiam:PermissionsBoundary
CreateRole
role*
iam:PermissionsBoundaryaws:TageKeysaws:RequestTage/${TagKey}
Note specifically that the AttachRolePolicy action applies to IAM roles only, not to policies. You've indicated a role ARN (snowflake-role*) and a policy ARN (snowflake_access), but only the former is legal here.
The same table entry also indicates that iam:PolicyARN is a valid condition key for the AttachRolePolicy action. So, to indicate a policy ARN, you can add a condition key of iam:PolicyARN, something like this.
{
"Sid": "sid1",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::*:role/snowflake-role*"
],
"Condition": {
"StringEquals": {
"iam:PolicyARN": "arn:aws:iam::7882...:policy/snowflake_access"
}
}
},
I'm not sure this resolves all of the problems you have, but I think it's one part of the problem.
We are using AWS MediaConverter to convert videos to mp4 format. But MediaConvrter is giving this error in the job:
Unable to write to output file [s3://{path_to_file}]: [Failed to write data: Access Denied]
Obviously, MediaConverter doesn't have write access to bucker, but I don't know how to give them to it.
We have following policy for S3:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{CloudFront-origin}"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::{S3-bucket}/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{role-for-our-API}",
"arn:aws:iam::{MediaConverter-role}"
]
},
"Action": "*",
"Resource": "arn:aws:s3:::{S3-bucket}/*"
}
]
}
Our ACL gives Write, List permission only for Bucket Owner. Previously everyone could List and Write objects and MediaConverter worked, but we found this we could not accept List and Write permissions for everyone.
Block public access is off for every point.
IAM user that we using for API and Role that we are using for MediaConverter have all the permissions for S3 (AmazonS3FullAccess).
Appreciate any help, thank you.
I would like to make sure you have set the AccessControl to BUCKET_OWNER_FULL_CONTROL in Mediaconvert job settings. It sounds like this isn't being set in the job settings and since the bucket requires the objects to be set with the Bucket owner full control ACL.
Setting can be found under all the Output Group settings, under destination settings.
"DestinationSettings": {
"S3Settings": {
"AccessControl": {
"CannedAcl": "BUCKET_OWNER_FULL_CONTROL"
}
}
Regards
Michael
#uliaadamchuk Try to create a new role(ex: media-converter) and add the Role ARN to the Job Setting:
Step 1: Go to IAM Role > Create Role > look for MediaConverter and attach AmazonS3FullAccess and AmazonAPIGatewayInvokeFullAccess (optional) policies or use JSON version below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Step 2: In the Media Converter Job Settings > Settings> Add IAM Role> add the Role ARN: ex- "arn:aws:iam::741xxxxxx:role/media-converter"
Step 3: Create the job and check whether now its working or not !!
I believe that the configuration should be as follow. Please note the changes in "Action" and "Resource" where you were missing top level bucket.
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{role-for-our-API}",
"arn:aws:iam::{MediaConverter-role}"
]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::{S3-bucket}","arn:aws:s3:::{S3-bucket}/*" ]
}
I had the same problem. I was using the default MediaConvert role which I had modified and it didn't have permission for what I was trying to do.
So, I made a new role for MediaConvert.
Name it MediaConvertRole.
Policies
Note: click "Attach policies" button, these are pre-made policies provided by Amazon. You don't have to create these from scratch yourself.
AmazonS3FullAccess
Whose policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
}
]
}
AmazonAPIGatewayInvokeFullAccess
Whose policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke",
"execute-api:ManageConnections"
],
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}
When you create your MediaConvert job, make sure to select the right role:
I initially tried with all the json policies in the below link.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#customer-managed-policies-cwl
And i finally got a solution of giving "list, read, write" access to one specific loggroup for an IAM user by using below JSON policy. But it is able to see the list of other log groups as well. As per the below JSON policy i tired limiting the resource for listing as well. It didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:GetLogRecord",
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:Describe*",
"logs:FilterLogEvents",
"logs:GetLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:XXXXXXXXXXXX:log-group:/aws/lambda/XXXX:log-stream:*"
}
]
}
But then i found the tagging as a solution and tried tagging the loggroup and user with same tag and tried below JSON policy. That didn't work either.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"logs:ResourceTag/Team": "Green"
}
}
}
]
}
Please can someone kindly suggest a way where i could give access to one specific IAM user for only one group to either, list&read or list,read&write. But that user should not be able to see the other log groups.
But it is able to see the list of other log groups as well
That's not something you can do typically within AWS. Generally IAM permissions can't affect on the result of an API action. It can't filter it to only show something in particular. This is one the reasons AWS recommends to isolate workloads by using different accounts, as API calls are only scoped to one account.
In this case, you can either not give access at all or give access to list everything.
I want to set up IAM policies to allow an user to publish to SNS to send SMS and to publish to a specific SNS arn.
I have found a way to allow SMS publish without allowing any SNS publish :
Authorization when sending a text message using AmazonSNSClient
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": "*"
}
]
}
But this policy is explicitly denying all other SNS publish, so I can't add a policy allowing a specific SNS.
The problem is that SMS publish does not have a specific arn.
So I am looking at conditions to find a way to limit the allow to publish only SMS. But the specific SMS parameters (PhoneNumber cf https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SNS.html#publish-property) cannot be filtered in condition :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*",
"Condition": {"Null":{"PhoneNumber":"false"}}
}
]
}
Is there a way to accomplish such a policy ?
Actually to do the trick I found a way using an allow whit the NotResource JSON Policy Element (spec). I use this property to match the resources which do NOT have an ARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"NotResource": "arn:aws:sns:*:*:*"
}
]
}
With this trick I can allow all sns Publish without ARN (but I don't know if there is any other services then SMS...).
This also allow me to allow specifics ARN in another policy.
I need to create policy that would allow user to create spot requests, but with specific subnet and security group only. This is what I did:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:image/ami-*",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-af016c92",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-12a34d3c",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-f0e844cd",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-026ae728",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-b5dd94cd",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-3bda8c42"
]
}
]
}
But my spot request creation still fails:
botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation.
What is the minimum subset of permissions for RequestSpotInstances action?
Is there some possibility to debug this?
I know this is an old issue, but I just ran across the same issue in my environment. The solution for me was adding an IAM permission for "PassRole"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1479335761363",
"Action": [
"ec2:DescribeInstances",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*"
}]
}
According to the EC2 docs (here), ec2:RequestSpotInstances is an action which falls into the category of "Unsupported Resource-Level Permissions." Unfortunately, you will have to set the resource tag to all resources, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [ "*" ]
}
]
}
As far as debugging goes, don't forget about the IAM policy simulator, which can be accessed from the AWS Console => IAM => User page.