I was trying to create an IAM policy that allows CloudFormation actions to be taken for specific resources in the account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:DetectStackDrift",
"cloudformation:CancelUpdateStack",
"cloudformation:DescribeStackInstance",
"cloudformation:DescribeStackResources",
"cloudformation:SignalResource",
"cloudformation:DescribeStackResource",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:ContinueUpdateRollback",
"cloudformation:DetectStackResourceDrift",
"cloudformation:DescribeStackResourceDrifts",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeStackEvents",
"cloudformation:CreateStack",
"cloudformation:GetTemplate",
"cloudformation:DeleteStack",
"cloudformation:TagResource",
"cloudformation:UpdateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:ListChangeSets",
"cloudformation:ListStackResources"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/*/*",
"arn:aws:cloudformation:*:*:stackset/*:*",
"arn:aws:cloudformation:*:*:stack",
"arn:aws:cloudformation:*:*:stackset",
]
}
]
}
However, when I go to create a stack from a template saved in S3 (specifying S3 URL), I get blocked with an AccessDenied error.
User is not authorized to perform: cloudformation:GetTemplateSummary
If I add the following block, I do not run into the error.
{
"Effect": "Allow",
"Action": "cloudformation:GetTemplateSummary",
"Resource": [
"*"
]
}
I'm working in a corporate environment where we're not allowed to have wildcards like that for resources. What is the proper way to specify resources for this action?
I found AWS's documentation for CloudFormation actions and resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloudformation.html). It says the GetTemplateSummary action has stack and stackset resource types, but those resources were allowed in my original policy. What resource types does GetTemplateSummary act on?
Related
When I try to deploy terraform script using gitlab runner I am getting the following error
Error: Error finding Route 53 Hosted Zone: AccessDenied: User: arn:aws:sts::12345678:assumed-role/dev-runner/i-01b2f123f1e1a127c is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action
The IAM role that is attached to the runner has the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:route53:::*",
"arn:aws:acm:us-east-1:12345678:certificate/*",
]
}
]
}
What I am missing here? All the actions are allowed on arn:aws:route53:::* resource.
Try to check role with AWS Policy Simulator
Here is
This action does not support resource-level permissions. Policies granting access must specify "*" in the resource element.
error is raising with your role.
Resource should be "Resource": * to be able run ListHostedZones. However, in this case the permissions will be totally insecure, so I recommend to separate the statements:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
... any other specific permissions for R53 ...
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:acm:us-east-1:12345678:certificate/*"
]
}
]
}
And just a personal opinion: using wildcard * actions without specifying at least services (route53:*) is not looking like a good idea
I am trying to follow this article for Secret Manager and tried applying attribute based access controll (ABAC) for AWS Lambda by using this user role policy linkage:
Create IAM user
Assign a role to this IAM user
Role is assigned an ABAC policy for lambda.
currently my ABAC policy for Lambda usage for different users in a project is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LambdaPolicyForProject",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"kms:ListAliases",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"logs:DescribeLogGroups",
"lambda:Get*",
"lambda:List*",
"states:DescribeStateMachine",
"states:ListStateMachines",
"tag:GetResources",
"xray:GetTraceSummaries",
"xray:BatchGetTraces"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/accessproject": "${aws:PrincipalTag/accessproject}",
"aws:ResourceTag/accessteam": "${aws:PrincipalTag/accessteam}",
"aws:ResourceTag/costcenter": "${aws:PrincipalTag/costcenter}"
}
}
}
]
}
This does not work for a user when the costcenter, accessteam, accessproject tags are similar for both IAM user and lambda.
However, it works when I remove the condition in the above policy (this shows IAM is able to access lambda policy).
Can I know what I am missing from the tutorial above? I did cross check all tags for lambda, policies and IAM users, and they are same as per the docs.
The issue seems to be in the Actions you defined. According to the tutorial you followed:
[...] see Actions, Resources, and Condition Keys for AWS Secrets Manager. That page shows that actions performed on the Secret resource type support the secretsmanager:ResourceTag/tag-key condition key. Some Secrets Manager actions don't support that resource type, including GetRandomPassword and ListSecrets.
Have a look at actions, resources, and condition keys for AWS services and for each service make sure the action supports the aws:ResourceTag/${TagKey} condition. I didn't go through all the permissions but already the CloudWatch actions GetMetricData and ListMetrics do not support the aws:ResourceTag/${TagKey} condition. Same goes for ec2:DescribeSecurityGroups,
ec2:DescribeSubnets, ec2:DescribeVpcs, and probably a few more.
You must create additional statements to allow those actions i.e:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LambdaPolicyForProject",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"kms:ListAliases",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"logs:DescribeLogGroups",
"lambda:Get*",
"lambda:List*",
"states:DescribeStateMachine",
"states:ListStateMachines",
"tag:GetResources",
"xray:GetTraceSummaries",
"xray:BatchGetTraces"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/accessproject": "${aws:PrincipalTag/accessproject}",
"aws:ResourceTag/accessteam": "${aws:PrincipalTag/accessteam}",
"aws:ResourceTag/costcenter": "${aws:PrincipalTag/costcenter}"
}
}
},{
"Sid": "LambdaPolicyForProjectNoTags",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*"
}
]
}
Once you have a working policy, please familiarize yourself with the IAM best practices as the use of wildcard resouce access should be avoided whenever possible (principle of granting least privilege).
I have created an IAM user in my AWS account. IAM user requires permission to access Amazon data Lifecycle Manager. I had given the following permissions to the IAM user
AmazonEC2FullAccess,
AWSDataLifecycleManagerServiceRole
and AWSDataLifecycleManagerServiceRoleForAMIManagement.
But when I tried to access Amazon Data Lifecycle Manager with this IAM user account, I get this following statement on the lifecycle manager page
It is taking a bit longer than usual to fetch your data.
(The page keepy on loading for a longer period of time)
This message doesn't appear when I tried to access the same page with the same IAM user but this time with Administrator-Access.
Can somebody please let me know what's going wrong here, because I want to grant limited permission for my IAM user to manage my AWS resources.
The policies that you mencioned does not include permissions to access Data Lifecycle Manager.
This is another service that is not included on EC2 (this is why AmazonEC2FullAccess does not give you permissions). Additionally, AWSDataLifecycleManagerServiceRole and AWSDataLifecycleManagerServiceRoleForAMIManagement are managed policies to allow AWS Data Lifecycle Manager itself to take actions on AWS resources. So these policies should not be applied to IAM Users.
You need to create a custom IAM Policy with the proper permissions. In case of read only you can use this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DataLifecycleManagerRead",
"Effect": "Allow",
"Action": [
"dlm:Get*",
"dlm:List*"
],
"Resource": "*"
}
]
}
UPDATE
To create policies through web console, some additional permissions are required because the web shows more information to help during creation process. So in order to have enough permissions to create policies via web use this (some of these are referenced on documentation but seems to be incomplete):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dlm:*",
"iam:GetRole",
"ec2:DescribeTags",
"iam:ListRoles",
"iam:PassRole",
"iam:CreateRole",
"iam:AttachRolePolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:DeleteSnapshot",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:EnableFastSnapshotRestores",
"ec2:DescribeFastSnapshotRestores",
"ec2:DisableFastSnapshotRestores",
"ec2:CopySnapshot",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeSnapshotAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*::snapshot/*"
},
{
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:DeleteRule",
"events:DescribeRule",
"events:EnableRule",
"events:DisableRule",
"events:ListTargetsByRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "arn:aws:events:*:*:rule/AwsDataLifecycleRule.managed-cwe.*"
}
]
}
I need to create policy that would allow user to create spot requests, but with specific subnet and security group only. This is what I did:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:image/ami-*",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-af016c92",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-12a34d3c",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-f0e844cd",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-026ae728",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-b5dd94cd",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-3bda8c42"
]
}
]
}
But my spot request creation still fails:
botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation.
What is the minimum subset of permissions for RequestSpotInstances action?
Is there some possibility to debug this?
I know this is an old issue, but I just ran across the same issue in my environment. The solution for me was adding an IAM permission for "PassRole"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1479335761363",
"Action": [
"ec2:DescribeInstances",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*"
}]
}
According to the EC2 docs (here), ec2:RequestSpotInstances is an action which falls into the category of "Unsupported Resource-Level Permissions." Unfortunately, you will have to set the resource tag to all resources, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [ "*" ]
}
]
}
As far as debugging goes, don't forget about the IAM policy simulator, which can be accessed from the AWS Console => IAM => User page.
What I Want To Achieve
I am trying to grant an IAM user with a REST API token permission to described environment health on a specific elastic beanstalk application via the AWS CLI.
The Problem
When I run with the CLI command:
aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile
I get the error: A client error (AccessDenied) occurred when calling the DescribeEnvironmentHealth operation: User: arn:aws:iam::myaccountid:user/myuser is not authorized to perform: elasticbeanstalk:DescribeEnvironmentHealth
with the --debug flag I can see a HTTP 403 response.
Extra Details
The IAM policy has the action "elasticbeanstalk:DescribeEnvironmentHealth" on the resource:
"arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"
I have double checked the account id, app and env name.
I can perform other actions just fine such as DescribeEnvironments when I add this action instead.
I have verified on the particular resource ARN with this policy using the IAM simulator when selecting the user and it says access is granted.
The version of the CLI is aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
As a test I temporarily relaxed the policy to have the action elasticbeanstalk:* and it still doesn't work.
Questions
How can I further debug this issue?
Why does the IAM policy simulator say the policy does grant access but access is denied viu the CLI?
Full Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]
},
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
}
]
}
For some reason elasticbeanstalk:DescribeEnvironmentHealth worked for me only with "Resource": "*".
So I've separated write/read permissions, allowing "Resource": "*" only for read. Here is my full policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}