I have created a new AWS account. During the creation process I had to provide an email id, password and account name.
To login I use my email id and password.
What exactly is the purpose of AWS account name? Is it like a company name? So a container where I am the administrator?
If I want to add users then do I have to create users in IAM or do I have to ask them to create an account first with AWS?
In AWS the account is tied to an email address, this is one of the unique identifiers for your account (you cannot have multiple accounts tied to one email address).
When your account is created it will have an account ID, you can create an alias (that must be unique) that will map to this account ID and can be used during authentication.
The email address is used to login to the root user in AWS, this user should not be used to interact with AWS services and should be locked down with MFA and a good password. By default it is the only way to see and configure billing information.
A user who should be tied to this account should have an IAM user created for them with an appropriate policy that will allow them to do their job role. They should not be registering for AWS as this will create an AWS account for them vs joining your account.
When they login they should enter either an account ID or the alias, along with their IAM console credentials (not the same as access key/secret key).
Related
Users login to our AWS account via okta. Hence when i checked, there are no users under IAM.
I have a requirement to check if a certain user has access to a resource in aws. I only get the user's email, and then need to check if that user has access to the resource.
Is there any way i can do this with aws API?
From cloud trail, i got below arn for an user.
arn:aws:sts::xxxxxx:assumed-role/<Group Name>/abcd.xyz#email.com
Tried to query using IAM api, but it wont accept email abcd.xyz#email.com as a valid username.
My entire team accesses a single AWS account through federated login. Apart from my team, only admin (root user) has access to this account. But the root user is only for administration purpose.
We all login to the AWS console through a SAML-based SSO. The navbar of the AWS console shows the user info as:
Federated Login:
TEAM-NAME/email.of.logged.in.user#organization.com
Account:
1234-5678-1234
Since it is a single account, the account id is common for all federated users. But the emails are their own. Also, on clicking "My Account" link in navbar, the account name is shown as
assumed-role/TEAM-NAME/email.of.logged.in.user#organization.com
A part of my project is to identify the creator of some AWS resources. Now, suppose a bucket was created by some federated user. Can I, another federated user, track who (email) created this bucket? What about other kind of resources (not just s3 buckets)?
You can track that using the Amazon cloud trail. But as a federated user, you will have to make sure that you have Amazon Cloud Trail access. Once you've Cloud Trail access you can filter the bucket name using Resource Name filter.
Given an AWS account ID, I'd like to programmatically retrieve its account alias from an uncredentialed client. Is this possible? If so, how?
If I have credentials for the account, it's straightforward to get the account alias. What I don't know is how to get the alias without credentials.
I'm writing a client that retrieves temporary security tokens using the AWS Security Token Service (STS) and SAML. I have a list of AWS account IDs and a list of roles that can be assumed. I'd like to display this information to the user in a friendly way (ie. translate the account IDs to account names), but I don't want to have to assume all the roles to do so.
I have my enterprise Quicksight in place and with users using our company email to register an account (like john.doe#mycompany.com). We're using Gmail for business.
On the other hand we have developed another application backed by AWS Cognito user pool using Google as an identity provider, and since this is the same user base our intention was to use the same user pool for Quicksight access. In addition we will develop a Lambda that would synchronize Cognito user group association with Quicksight memberships if/when necessary.
I've followed the example described here https://aws.amazon.com/blogs/big-data/use-amazon-quicksight-federated-single-sign-on-with-amazon-cognito-user-pools/, but the problem is that even though I login as different users I get access to Quicksight via same IAM role. The Quicksight user associated with this role has a specific username starting with CognitoQuickSight1-AuthRole-KX4Y16... and email associated with the user I used to login the very first time.
Now I'm wondering if in this setup it's even possible to have different roles associated with different users so they can be differentiated on Quicksight side? Or is there any other way to achieve this?
I don't think you can assign QuickSight user specific permission on Federated users.
Some AWS services allows to use the user identity in the resource base IAM policy. For example S3 (to allow user to access only their 'directory' in a bucket) and DynamoBD (to allow user to only access item where their identity is the primary key).
According to https://docs.aws.amazon.com/quicksight/latest/user/security_iam_service-with-iam.html Quicksight does not support Resource based or Tag based policies.
Is it possible to find the email ID of AWS IAM user using boto3?
Email is not an attribute of IAM user. I can add email addresses in SES but there is no way to match IAM user ID with SES email.
I need to create a Lambda function to send email to the users based on activity.
No. As you point out, email address is not stored against an IAM user. Therefore, the information is not available to retrieve.
One option is to enforce a standard where each IAM User's username is actually an email address (eg joe#example.com). Failing that, you'll need to maintain a lookup somewhere between Username and Email Address. IAM does not support storing additional attributes against users.
Another way:
Step 1: You can register a domain in SES and follow a standard of naming the IAM user with the first part of his mail id of the same domain which is registered.
Step 2: And when you are sending the mail, append it to the domain name in your program and you will be able to send it to the IAM user.