Problem on creating access tokens for IAMUSER via aws educate account - amazon-web-services

I want to use aws s3 on my laravel project , for this i created a bucket on s3 and also created IAMUSER and give it "S3FullAccess" permission but it create user with some error, access_key not created...
I use my vocareum account credentails (found on Account details button) but laravel gives an error "Invalid access token".
please help...
e

On AWS Educate Starter Account you can't create access keys for IAM users. From their docs:
You can create users, but cannot associate login profile or access keys for them
The AWS Educate accounts have a lot of limitations and they just barely allow to do what you need to do in your classrooms.

It appears that the user you are logging into AWS as is not an administrator user, or certainly lacks some administration permissions.
I'm not familiar with Vocareum but it seems to be some sort of learning management system - I presume you are using an AWS account that they control, which would explain the lack of privileges. If that is the case, and it is their AWS account that you are accessing, then you will need to raise a support case with them.
If this is your account, and you created this user, then you need to log into the account as the root user you created when you configured your AWS account and use it to create an access key for this current user.

Related

aws congnito user pool migration to the new account

I have total 600 users in the aws congnito user pool in my old aws account , and i want to move/migrate all the users to my new aws account. It is possible to migrate aws congnito users from one aws account to another.
Please Help Me.
I checked through every document linked to Congnito, but I was unable to find a document for moving Congnito users between AWS accounts.
You should consider to use cognito-backup-restore npm tool. It's easy to use and oriented to What you require, but there are some important points to take into account:
You need the AWS CLI and security credentials installed and well configured locally, preferably use IAM roles to access Cognito.
You're backing up users from Cognito user pool to a JSON file locally, so do it in a safe environment and remove the file after restoring the backup.
There is no way of getting passwords of the users in Cognito, so you may need to ask them to make use of ForgotPassword to recover their account.

How to get service account list from AWS account using boto3?

Can someone help me to understand about service accounts ? how can we check using AWS CLI?
Here is the description from the official documentation:
An IAM user is a resource in IAM that has associated credentials and
permissions. An IAM user can represent a person or an application that
uses its credentials to make AWS requests. This is typically referred
to as a service account.
Here is the sample code
import boto3
client = boto3.client('iam',aws_access_key_id="XXX",aws_secret_access_key="XXX")
users = client.list_users()
for key in users['Users']:
print key['UserName']
The notion of a 'service account' is not an AWS thing. In IT generally, it's a user account specifically set up with long-term credentials that a server can use (as opposed to a person).
This is a bad thing. You don't ever want long-term credentials on your servers (and certainly not in your code or configuration). You should use auto-rotating credentials, such as available via IAM roles.

Amazon Web Services Developer User Permissions

I have an Amazon Web Services account which will be used to host the backed of an app. The backend uses PHP/MySQL and will most likely use an EC2 instance and RDS. I have my own account which has access to everything. I need to create an account for a developer to put the backend on AWS but I don't want them to have access to anything except what they need. I know how to create IAM users and Groups but I don't know which permissions to grant the developer. Under Select Policy Template there is a Power User template, is that good for a developer? Has anyone done this before?
The Power User Access template in AWS Identity and Access Management (IAM) grants permission to do ANYTHING except using IAM. A user with this permission can view, create or remove any resources in your AWS account, but they could not create new users or modify any user permissions.
It is recommended that you only give people the least amount of privilege required to use AWS, so that they do not intentional nor accidentally do something unwanted. However, if you do not have enough knowledge of AWS to know what functionality is required, you will most likely need to trust the developer to configure the system for your needs.
A few tips:
Only give them access via an IAM User -- never give them your root credentials
If you don't know what permissions are required, then "Power User" is at least safer than "Administrator" since they cannot edit IAM settings
When they have completed their work, revoke their access so they cannot create any more AWS resources
Determine whether you also wish to revoke access to the EC2 instances (you'll have to do this on the instances themselves)
You may need to define some roles that will be used with Amazon EC2 -- these are defined in IAM, so the developer will not have permission to create the roles himself
Ask the developer for documentation of what he has deployed
Turn on Detailed Billing to identify what AWS charges you are receiving and check them against the documentation
Turn on CloudTrail to activate auditing of your account (it is activated per-region)
Alternatively, you could do all the AWS configuration (launching an EC2 instance, creating the database) and only let the developer login to the EC2 instance itself. That way, they would not need access to your AWS account.

Can i use amazon IAM as loging credentials for my apps users

Is it possible to use the IAM API as a user registration service for my application.
I.e. if i present the user to create an account and password. Can they then log in with the IAM and use my application.
Or is it more for developers who are tinkering around with the actual AWS platform?
Thanks,
Ben
That's not what AWS Identity and Access Management is made for. I guess you don't want your users to have access to your infrastructure … If you want an user registration you should implement it inside your application.

How do you add additional developers to be part of your AWS account

The following snippet is from AWS docs, if sharing credentials is not the right way. Does it involve additional charges for adding IAM to support multiple developers.
Without IAM, if you want to enable other users to access your AWS
resources, the only way is to share your AWS account credentials. We
do not recommend this approach. Your account credentials enable access
to all AWS resources associated with your account, including your
billing information. For this reasons, we recommend that you never
share your AWS account credentials.
There is no additional charge for IAM service. Please see following link: http://aws.amazon.com/iam/#pricing
To confirm it once again, you can check AWS monthly calculator at following link:
http://calculator.s3.amazonaws.com/calc5.html. I don't see any charges for IAM service at here as well.
What that text is explain is that any user who has access to your account email login can change ANYTHING on your account. They could change your password and lock you out. There's no easy way to recover your account. A person from the billing department could accidentally or maliciously terminate your servers or delete S3 data. They're warning you that its not a good idea to give anyone but yourself access to the email login.
With IAM you can enable almost all the permissions that the email login has. The exceptions are changing the account credentials and personal information. Each user will be provided with their own username and password for access to the console and can be assigned a new set of Access Keys or x509 certificates if required.
There's no cost or downside to using IAM and its highly recommend for security reasons.