AWS IAM Polciy to allow billing contact modification - amazon-web-services

I have the following policy assigned to an IAM user which gives full permission to the billing.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"awsbillingconsole:*Billing",
"aws-portal:*Usage",
"awsbillingconsole:*Usage",
"aws-portal:*PaymentMethods",
"awsbillingconsole:*PaymentMethods",
"budgets:ViewBudget",
"budgets:ModifyBudget",
"cur:*",
"purchase-orders:*PurchaseOrders"
],
"Resource": "*"
}
]
}
This policy does not allow the user to modify the alternate billing contact. The alternative billing contact settings is found under the https://console.aws.amazon.com/billing/home?#/account. Is there anyway to achieve this without giving administrator permissions.

Try granting all aws-portal actions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "aws-portal:*",
"Resource": "*"
}
]
}

Related

How to add KMS key policy to an IAM role

How to add KMS key policy to an IAM role.
I was trying to download a file from an S3 bucket in my lambda function but i kept getting an error, probably because the bucket has encryption. I have a key policy that looks like this:
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
But how do I attach this to my role? I clicked on Edit trust relationships and tried to paste this there but I get an error that:
An error occurred: Has prohibited field Resource
You can add the role directly to the key policy if it is a customer managed key:
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::123:root",
"arn:aws:iam::123:role/myRole"]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
Or you can attach a new policy (or edit an existing policy that is already attached) to the role you are invoking the lambda function as. Add something similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKMS",
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*"
}
]
}
Create an IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMSKeypermission",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:<enter region>:<account id>:<key id>"
]
}
]
}
And attach this policy to the role
Also add the the role to key policy if you have created the KMS
You can find the KMS key Policy by navigating to KMS --> Customer managed keys

AWS Assume role for group

I am trying to assign an assume role to a group, then by user membership to the group users would be able to perform the necessary actions. So far I have the following:
An application user assigned to a group
This group has a role assigned to it with an assume role policy attached:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn::::role/test"
}
]
}
The referenced role (test) then has a policy attached to it with the necessary kms permissions
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "$kms-key-arn"
}
]
}
When I test through aws-encryption-cli it says my user is not authorized to perform: kms:GenerateDataKey on resource:$ARN
My question is what else is needed so that my group can allow members to assume a role that has necessary permissions. This is all in the same AWS account.

AWS S3 bucket policy notprincipal deny

My goal is to create exclusive access to a bucket for one IAM user, and to maintain that exclusivity easily as new iam users and groups are added. The user is outside of my control and has a managed policy attached to it:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullTestBucketS3Access",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
]
}
]
}
I have applied a bucket policy to the bucket that needs to exclude all users except one:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::111111111111:root",
"arn:aws:iam::111111111111:user/myuser"
]
},
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
]
}
]
}
I am finding that the mask provided by the NotPrincipal part of the deny statement is not working. All users are denied the ability to take the action specified in the deny policy. What should I be looking at to work this out?

How can I create an AMAZON policy with permission to an user create another user with only permissions on S3?

I'm using this policy to a user that can create other users, but I need to restrict this user to only create users with permissions on S3, that's because, currently, he can create users with permissions on all services, like EC2 or IAM.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
}
]
}
Are there any samples to create that policy with the restriction for users to create other users having permission only on S3?
Try this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}

Giving an IAM User full access

Should an IAM User say called User1 be given full access like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Could it also be used to create Amazon API calls? Is this a security risk or should I create another user just to access the Amazpn API Gateway?
You should never give an IAM user full privileges. So many things could go wrong, and yes it may very well be a security risk.
If you need to manage (create, configure, or deploy) your API in API Gateway with this IAM user, you can give the user this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
}
]
}
Or, if you only need to invoke the API, you can use this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}