I am trying to assign an assume role to a group, then by user membership to the group users would be able to perform the necessary actions. So far I have the following:
An application user assigned to a group
This group has a role assigned to it with an assume role policy attached:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn::::role/test"
}
]
}
The referenced role (test) then has a policy attached to it with the necessary kms permissions
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "$kms-key-arn"
}
]
}
When I test through aws-encryption-cli it says my user is not authorized to perform: kms:GenerateDataKey on resource:$ARN
My question is what else is needed so that my group can allow members to assume a role that has necessary permissions. This is all in the same AWS account.
Related
I'm trying to add this as an inline policy, with arn for user (principle) and arn for bucket (resource).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000:user/name"
},
"Action": ”s3:ListBucket”
"Resource": "arn:aws:s3:::bucket name"
}
]
}
error: Unsupported Principal: The policy type IDENTITY_POLICY does not support the Principal element. Remove the Principal element
tried adding this snippet as an inline policy but I have to find another way due to error Unsupported Principal: The policy type IDENTITY_POLICY does not support the Principal element. Remove the Principal element
Just remove the principal element.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ”s3:ListBucket”
"Resource": "arn:aws:s3:::bucket name"
}
]
}
This should be working for you, just replace the user with correct AWS user.
{
"Id": "Policy1673568063233",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1673568062150",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket name",
"Principal": {
"AWS": [
"arn:aws:iam::00000000:user/name"
]
}
}
]
}
AWS policy generator is always a great place for dealing with policy generation
https://awspolicygen.s3.amazonaws.com/policygen.html
There are two places you might place such a policy:
Bucket Policy
Policy on an IAM User
If you are creating a Bucket Policy, it will require a Principal.
However, if you are wanting to assign rules to a specific IAM User, then it is better to create a policy on the IAM User themselves. When doing this, there should not be a Principal because this is inferred by the IAM User on which the policy is placed.
How to add KMS key policy to an IAM role.
I was trying to download a file from an S3 bucket in my lambda function but i kept getting an error, probably because the bucket has encryption. I have a key policy that looks like this:
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
But how do I attach this to my role? I clicked on Edit trust relationships and tried to paste this there but I get an error that:
An error occurred: Has prohibited field Resource
You can add the role directly to the key policy if it is a customer managed key:
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::123:root",
"arn:aws:iam::123:role/myRole"]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
Or you can attach a new policy (or edit an existing policy that is already attached) to the role you are invoking the lambda function as. Add something similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKMS",
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*"
}
]
}
Create an IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMSKeypermission",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:<enter region>:<account id>:<key id>"
]
}
]
}
And attach this policy to the role
Also add the the role to key policy if you have created the KMS
You can find the KMS key Policy by navigating to KMS --> Customer managed keys
I have the following policy assigned to an IAM user which gives full permission to the billing.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"awsbillingconsole:*Billing",
"aws-portal:*Usage",
"awsbillingconsole:*Usage",
"aws-portal:*PaymentMethods",
"awsbillingconsole:*PaymentMethods",
"budgets:ViewBudget",
"budgets:ModifyBudget",
"cur:*",
"purchase-orders:*PurchaseOrders"
],
"Resource": "*"
}
]
}
This policy does not allow the user to modify the alternate billing contact. The alternative billing contact settings is found under the https://console.aws.amazon.com/billing/home?#/account. Is there anyway to achieve this without giving administrator permissions.
Try granting all aws-portal actions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "aws-portal:*",
"Resource": "*"
}
]
}
I need to give external users access to a single Amazon S3 bucket folder. I have their ARN information but I am having an issue granting access.
{
"Version": "2012-10-17",
"Id": "S3AccessPolicy",
"Statement": [
{
"Sid": "TestAccess",
"Effect": "Allow",
"Principal": {
"AWS": "<external ARN>"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::rootlevelbucket",
"arn:aws:s3:::rootlevelbucket/specificfolder/*"
]
}
]
}
There is 2 sides to cross account access. You have the first part with the bucket policy, but the admin for the external account needs to grant the user access to the S3 with a IAM policy like below. You can use the s3:* on the IAM policy because you bucket policy will restrict to just the commands you list.
AWS Documentation
IAM Policy for external user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RootlevelbucketAccess",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::rootlevelbucket",
"arn:aws:s3:::rootlevelbucket/specificfolder/*"
]
}
]
}
Should an IAM User say called User1 be given full access like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Could it also be used to create Amazon API calls? Is this a security risk or should I create another user just to access the Amazpn API Gateway?
You should never give an IAM user full privileges. So many things could go wrong, and yes it may very well be a security risk.
If you need to manage (create, configure, or deploy) your API in API Gateway with this IAM user, you can give the user this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
}
]
}
Or, if you only need to invoke the API, you can use this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}