Is there a way to customize AWS management console so that it shows only the allowed services per user?
The AWS management console is identical for every user.
However, if a user does not have permissions for a particular service, the console may not be able to display some information (eg a list of Amazon S3 buckets or the state of Amazon EC2 instances). Users might also receive error messages explaining that they do not have permission to view some data.
It is not possible to customize the AWS management console.
Related
I'm the administrator of an AWS account that has 4 users. One of the users is racking up higher-than-expected costs.
I checked the Cost Explorer, but could not seem to configure it to view individual users.
As an administrator in AWS, how do I see all of the services this particular user has been using during a given period of time (e.g. the last 12 months)?
Thanks!
AWS resources are associated with an AWS Account, not a specific user.
If a user has the necessary permissions to create resources (eg an Amazon EC2 instance), then the instance is launched in the AWS Account, but there is no link back to the user that requested the resource.
You can, however, use AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
It will show all API calls made by the user, including the Action ('launch an EC2 instance'), their IP address, timestamp, etc. Operations in the AWS management console will also be shown, since it makes API calls on behalf of the user.
CloudTrail keeps a history of the past 90 days, but you can create specific 'Trails' that retain data permanently. If you have not done this, then it will not be possible to see what they did prior to 90 days ago.
We have started initially by defining roles with admin access policy attached. But now we want them to have policy with only specific permissions that are minimum and does not create any issues for using these roles.
Looking at "Access Advisor" tab on each role under AWS IAM console, it gives good amount of information that exactly which AWS services getting used and permission level information only for EC2, IAM, Lambda, and S3 management actions services. But for rest of other AWS services, missing that what specific permission for that particular service is required.
Also not having AWS Organizations master account access as mentioned in this tutorial: Viewing last accessed information for Organizations.
So is there a way I can get the permissions level info for services other than EC2, IAM, Lambda, and S3 management actions?
Thanks.
So is there a way I can get the permissions level info for services other than EC2, IAM, Lambda, and S3 management actions?
Sadly, there is no such way provided by AWS. So basically its try-and-see approach to get what you want. You can try some third party tools, which may be helpful, such as zero-iam, but ultimately, you will need custom solution to match your requirements.
There is also IAM Access Analyzer which is different then Access Advisor. But its also limited to some services only.
I'm totally new to AWS and learning about IAM. I was wondering if there is a way around for an IAM user to check what all permission he/she have? Like as a root user, I created a group of IAM users where they were only allowed to use S3 service but once I logged in as an IAM user, it was showing that I have access to other AWS services as well like running EC2 instances, etc which I reckon shouldn't be the case. Thanks!
No, it isn't possible to "show" which services you have access to use, because the policies can be quite complex (eg permission to access an S3 bucket, but only a particular sub-folder if coming from a given range of IP addresses).
You would need to look the the IAM Policies attached to the IAM User, plus the policies on any IAM Groups they are in. Then, some services like Amazon S3 have additional permissions such as Bucket Policies.
In addition, AWS Organizations can limit the permissions of all users within an AWS Account, so even if a user appears to be granted certain permissions, they might not actually be available for use.
In many situations, you'll only know if you can do something by actually trying it. For example, you might have Read Only permissions, which means you can see resources in the AWS Console, but you would receive an error when you try to change things.
All services are available in the AWS Console, but various parts of the console will only work if you have adequate permission.
Note that there's IAM Policy Simulator from AWS. You can select a service and check if a given user has access to any given action (or all actions relevant to a service)
In Google Cloud Compute Engine, OS Login is really useful for having multiple users share the same instances on one file server. In a nutshell, it automatically adds the user to the instance. In AWS, I see similar resources, but it looks like you have to do it manually for each instance, and for each user. Is there a way to have this done automatically in AWS EC2?
Thanks!
Automatic Linux account lifecycle management and Fine grained
authorization using Google Cloud IAM
I did not use os login but the link you provided and their main feature is most similar to OpsWork of AWS like allow the user to ssh and restrict the access of each user and provide ssh access to IAM user.
To authorize SSH for an IAM user similar to OS feature (Fine grained authorization using Google Cloud IAM )
In the AWS OpsWorks Stacks navigation pane, click Permissions.
Select SSH/RDP for the desired AWS Identity and Access Management
(IAM) user to grant the necessary permissions. If you want to allow
the user to use sudo to elevate privileges—for example, to run agent
CLI commands—select sudo/admin also.
Importing Users into AWS OpsWorks Stacks is similar to OS login feature (Automatic Linux account lifecycle management)
Administrative users can import IAM users into AWS OpsWorks Stacks;
they can also import AWS OpsWorks Stacks users from one regional
endpoint to another. When you import IAM users to AWS OpsWorks Stacks,
you import them to one of the AWS OpsWorks Stacks regional endpoints.
If you want an IAM user to be available in more than one region, you
must import the user to that region.
Unix IDs and Users Created Outside AWS OpsWorks Stacks is similar to Ability to import existing Linux accounts
AWS OpsWorks assigns users on AWS OpsWorks Stacks instances Unix ID
(UID) values between 2000 and 4000. Because AWS OpsWorks reserves the
2000-4000 range of UIDs, users that you create outside of AWS OpsWorks
(by using cookbook recipes, or by importing users into AWS OpsWorks
from IAM, for example) can have UIDs that are overwritten by AWS
OpsWorks Stacks for another user. This can result in users that you
have created outside of AWS OpsWorks Stacks not showing up in data bag
search results, or being excluded from the AWS OpsWorks Stacks
built-in sync_remote_users operation.
So I think OpsWork is the best choice for you if we compare this with Os login of Google cloud.
There are lot of more feature of OpsWork but in context of Oslogin that seems similar to me. you can further explore here.
opsworks-security-users-manage-import.html
workinginstances-ssh
configuration-management-with-aws-opsworks
Take a look at EC2 Instance Connect.
you can control SSH access to your instances using AWS Identity and
Access Management (IAM) policies as well as audit connection requests
with AWS CloudTrail events. In addition, you can leverage your
existing SSH keys or further enhance your security posture by
generating one-time use SSH keys each time an authorized user connects.
Is there an option to grant read-only access to an Amazon Web Services (AWS) account?
What I'd like to achieve is to be able to see instances and configurations without having to log in as a user who has administrative permissions to avoid accidental changes.
No. An AWS Account cannot be made "read-only".
However, you can create a User in Identity and Access Management (IAM) and assign them "Read Only" permissions, which means they can interact with AWS but cannot change anything. However, this would still require that they login or at least use a set of credentials with calling the API or using the Command-Line Interface (CLI).
If your main goal is to avoid accidental changes, try this:
Create a User in IAM who has minimal permissions (eg read-only, and probably also permissions to create new resources such as buckets and instances)
Create a Role in IAM that has elevated permissions
Setup the User with the ability to "assume" the Role within the web browser
This way, the User won't have 'dangerous' permissions unless they specifically request it. A visual indication then shows when they are using this alternate role (which can also grant access to a different AWS Account).
For details, see:
Blog: Cross-Account Access in the AWS Management Console
Article: Enable a New Feature in the AWS Management Console: Cross-Account Access