Restricting AWS cloud resources & user using IAM - amazon-web-services

I want to implement Security in AWS Cloud using IAM like below:
1. Restricting Region(Possible)
2. Restricting Particular Service(EC2/RDS/VPC)(Possible)
3. Restricting IAM user(Disabled other IAM user resources)(Not Sure)
4. Deleting IAM user should delete AWS Resources created by this user.(Not Sure)
I came across Cloud Training site called Qwiklabs where they restrict exactly what I need.
I already tried and done first two restrictions(Region and Services).
Now I'm not sure for remaining 3rd and 4th.
Can anyone suggest me how to implement this scenario?

Ad 3. - Can You elaborate?
In Qwiklabs Your labs are created on separate AWS account - no other users are there.
Ad. 4 - You will have to force all users to use CloudFormation do provision resources or develop a process (Lambda/Step function) triggered by delete user action

4.Deleting IAM user should delete AWS Resources created by the user - You can use AWS Cloudtrail/AWS Lambda for that.
AWS Lambda:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
You can create a Lambda function which triggers as soon as the user logs in. The first Lambda function should create another Lambda Function with the scheduled events associated.
The second Lambda Function contains the specific user's information, instructions for deleting the resources created by the specific user and the instructions to delete the scheduled event.
With AWS CloudTrail:
By using the below sample command you can get the list of actions performed by the user.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=username,AttributeValue=user#example.com
Once you have that you can delete them.

Related

How to know the IAM user who created a Lambda function

We have an AWS account with an IAM group, this group contains practically 6 users and most operations in the account are done by this 6 users.
There are 12 Lambda Functions that have been created in the account and there is a particular lambda function (created by one of the 6 users) that I am trying to know who created it (The Lambda function owner).
Please is there a way to do this ?
Resources created in AWS Accounts are associated with the Account, not the IAM User that created the account.
When a user requests AWS to create resources, IAM verifies that the user has permission to create resources. If so, then the resources are created in the Account, but no relationship with the user is kept on that resource.
You can, however, use AWS CloudTrail to view information about the API request that created the resource.
From What Is AWS CloudTrail? - AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

How to tag ec2 instances and resources with IAM user that created them?

For a while, I have used cloudformation and a lambda script to tag EC2 instances, their EBS volumes and network interfaces with the IAM user that created them. Is there a better way to do this automatically with AWS?
AWS does not maintain a relationship between resources and users that create them.
If a user has sufficient permissions to create resources in an account, then any resources created are associated with the AWS Account rather than the user that created them.
One way to discover such a relationship would be to use AWS CloudTrail records, since they reference both the resources involved in API calls and the IAM entity (user, role, etc) that issued the API call.
So, in theory you could:
Create an Amazon CloudWatch Events rule to trigger an AWS Lambda function as new CloudTrail events happen
The AWS Lambda function could look at the event, determine whether it's something of interest (eg a resource was created) and then extract the user information and add it to a tag
It could get a little complex, such as requests coming from IAM Roles associated with Amazon EC2 instances, where it is hard to associate API calls with a "user"
Unfortunately, AWS doesn't support tagging resources automatically with IAM principal tags. You have to craft your own solution as described in the previous answer. However, you can find a couple of projects on Github. I have been maintaining the following project, which applies IAM principal tags and session tags to newly created resources.
https://github.com/erhanux/aws-tags

Automate create same policy to all AWS Accounts

Looking for suggestions on an AWS use case.
I have a lot of accounts in my AWS.
I am looking to create the same policy in all of my accounts. Now I want to automate it.
1) Can I create any lambda function or cloud formation template or any way to automate the creation of the same policy in all of my accounts even if any new account is created and it needs to add to all existing accounts if it's not there?
2)If possible then how I can get access to lamda function to create policies.
Thanks
If you have multiple AWS accounts, you may want to consider using AWS Organizations and Service Control Policies (SCP). The policies are applied at a root level and affect all accounts under that root.
By using organizations, you can get events when account creation is completed and apply any additional changes to the account that you would like by using a Lambda function that receives a CloudWatch event. The event would contain information about the newly created account.
The two options that provided seem to require a lot of manual administrative overhead, but would be happy to answer your concerns. Creating Lambda function which creates policies is done using the SDK. There is an IAM method called "CreatePolicy" which provides this functionality.
If I'm understanding your needs here (and assuming they're still the same after almost 3 years), you might consider using CloudFormation StackSets instead. They allow you to define common resources, including policies, as a CloudFormation template and have that template deployed to every one of the accounts in your organization.
You'll need to enable trusted access for CloudFormation StackSets in your organization AWS account, which will allow it to deploy the stacks to the rest of your organization's accounts.
To create the stack you'll need to:
Define a CloudFormation template using either CloudFormation directly, or capturing the synthesized stack from an AWS CDK application.
Upload the produced template to a location in S3 that's accessible by your top-level organization account.
Create the StackSet in the CloudFormation console (or the CLI, CDK, etc). You can either deploy the stack to all accounts or filter by specific accounts or organizational units (OUs).
Once created, the stacks will be automatically deployed to the desired accounts, and kept up to date when the stack is updated. This will require you to define significantly less infrastructure.

How can I query my IAM capabilities?

My code is running on an EC2 machine. I use some AWS services inside the code, so I'd like to fail on start-up if those services are unavailable.
For example, I need to be able to write a file to an S3 bucket. This happens after my code's been running for several minutes, so it's painful to discover that the IAM role wasn't configured correctly only after a 5 minute delay.
Is there a way to figure out if I have PutObject permission on a specific S3 bucket+prefix? I don't want to write dummy data to figure it out.
You can programmatically test permissions by the SimulatePrincipalPolicy API
Simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.
Check out the blog post below that introduces the API. From that post:
AWS Identity and Access Management (IAM) has added two new APIs that enable you to automate validation and auditing of permissions for your IAM users, groups, and roles. Using these two APIs, you can call the IAM policy simulator using the AWS CLI or any of the AWS SDKs. Use the new iam:SimulatePrincipalPolicy API to programmatically test your existing IAM policies, which allows you to verify that your policies have the intended effect and to identify which specific statement in a policy grants or denies access to a particular resource or action.
Source:
Introducing New APIs to Help Test Your Access Control Policies
Have you tried the AWS IAM Policy Simulator. You can use it interactively, but it also has some API capabilities that you may be able to use to accomplish what you want.
http://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulateCustomPolicy.html
Option 1: Upload an actual file when you app starts to see if it succeeds.
Option 2: Use dry runs.
Many AWS commands allow for "dry runs". This would let you execute your command at the start without actually doing anything.
The AWS CLI for S3 appears to support dry runs using the --dryrun option:
http://docs.aws.amazon.com/cli/latest/reference/s3/cp.html
The Amazon EC2 docs for "Dry Run" says the following:
Checks whether you have the required permissions for the action, without actually making the request. If you have the required permissions, the request returns DryRunOperation; otherwise, it returns UnauthorizedOperation.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/CommonParameters.html

Is it possible to create an AWS IAM policy for automatic resource tagging?

I would like to set up different AWS Identity and Access Management (IAM) users so that if an AWS resource is created by that IAM user, the resource is automatically assigned a specific tag.
For example: if IAM user F creates a new EC2 instance, the instance is automatically tagged as User:MrF. Is it possible to build a custom policy that does this?
My company GorillaStack have an open source lambda function that does exactly that.
The function 'listens' for CloudTrail logs to be delivered and tag the created resource with the ARN of the user that created it. It also support cross account tagging, for cases where a central account collects CloudTrail logs for other accounts.
Github: https://github.com/GorillaStack/auto-tag
Blog Post: http://blog.gorillastack.com/gorillastack-presents-auto-tag
It got a shout out at the 2015 re:Invent conference which is pretty cool :)
Hope that helps!
This is not available when using the AWS APIs directly (i.e. there's no way to command all AWS API's to tag new resources automatically on your behalf), however, depending on the specifics of your use case you could work around that limitation by correlating the creating user with the resource via post hoc tagging:
Workaround
You could activate AWS CloudTrail, which records AWS API calls for your account and delivers log files to you and provides exactly the information you are after:
The recorded information includes the identity of the API caller, the
time of the API call, the source IP address of the API caller, the
request parameters, and the response elements returned by the AWS
service.
Based on that information, a dedicated service of yours could analyze the logs and apply post hoc tags to all resources based on the logged user and created resource via the resp. API actions. Please see my answer to Which user launched EC2 instance? for some caveats/constraints to consider when going down this route.
An even better solution (faster plus I believe cheaper than parsing through CloudTrail logs) is to use CloudTrail but in combination with CloudWatch Events.
This is the basic concept described in a diagram
The implementation is detailed in this article:
https://blogs.aws.amazon.com/security/post/Tx150Z810KS4ZEC/How-to-Automatically-Tag-Amazon-EC2-Resources-in-Response-to-API-Events
The article also describes how to setup an IAM policy that only allows the creator of a resource to perform certain actions (like start / stop, describe, edit, terminate) against it.
I would chose AWS Config. Create a rule that automatically tags resources on creation. No cost, works across multiple accounts. Great for enforcing compliance. https://aws.amazon.com/about-aws/whats-new/2019/03/aws-config-now-supports-tagging-of-aws-config-resources/
Currently there is no such feature on IAM. If what you need is allow/deny based on user names, what you could do is use variables on your policy to allow or deny access based on naming conventions, e.g.:
...
"Resource":"arn:aws:dynamodb:us-east-!:123456789:table/ItemsCatalog_${aws:username}"
...