We are using AWS cloud and terraform with ansible to deploy our current infrastructure.
The code is yml files where we can put whatever works m, but to my concern we cannot apply some group policies to a user role. is this possible or could it be that the console does not show the policies applied from a group to a role.
assigned in our usual modus operandi but i believe it does not work while the functionality may be provided by the usage of extra permissions like expressly specified iam/bucket access policies.
user-test: #this line declares role
assume_arn:
- arn:aws:iam::anonymised:user/test
- arn:aws:iam::anonymised:user/me
groups:
- tf-dev1-group
- tf-dev2-group
- tf-dev3-group
policies:
- athena-fulladmin-policy
- support_access
no error messages just lack of result
Related
I would like to restrict being able to startup any ec2 instance if the storage isn’t encrypted.
I see two options you have here:
Prevent unencrypted volumes from being created by using the ec2:Encrypted condition key (https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html#amazonec2-ec2_Encrypted). This condition key can also be used for the ec2:RunInstances action within IAM policies. Check the documentation for supported condition tags (https://docs.aws.amazon.com/IAM/latest/User Guide/list_amazonec2.html).
Add the following policy statement to a policy attached to the User or Role you like to enforce encryption of EBS volumes:
Effect: Allow
Action:
- ec2:RunInstances
- ec2:CreateVolume #makes sure creating a volume separatly is also encrypted
Resource: “*”
Condition:
Bool:
ec2:Encrypted: True
Enable detective controls with AWS Config, which follows a more educational approach. Auto-remediation can be implemented (https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html).
You can now turn on encryption for EBS by default.
I created two IAM groups, I call them general and lambda-user.
In general:
Policy: IAMUserChangePassword
In lambda-user, I added policies:
AWSLambdaFullAccess
AmazonS3FullAccess
AmazonAPIGatewayAdministrator
AWSCloudFormationFullAccess
I thought when I added a user to both groups, he should have all 5 rights above.
Then, the user tried to use cli to perform serverless deploy that requires CloudFormation, but he failed. The console said he did not have CloudFormation right.
Until I removed him from general, he could perform serverless deploy again.
It seems that the rights in different groups are not adding together, but a group may override another group.
Actually, is my concept of group + group correct?
For every project, we create two AWS accounts. One for development and staging and one for production. The developers have an IAM user in the root account and users assumed roles in the other accounts to access those.
I want to create a policy, which allows the developer to do nearly everything in the development account, including creating new policies and attaching those (for new resources, etc.), but the developer should not be able to modify his own role / attach new roles to himself.
Any ideas?
I'm facing the same issue I've already posted a question about that here (similar issue).
After a lot of research, I came to a conclusion: do not allow developers to create roles and policies.
Why?
I didn't find a way to answer my question allowing user creating roles only for resources and not for principals.
Even if I've found a solution for 1., there is a flaw: suppose developers can create roles for resources but not for principals and he (she) can create every policy he (she) wants. In this scenario, he (she) could create a policy for Lambdas and inside Lambdas, a script could be written to execute actions allowed by policies attached.
My final solution:
Create two groups called Developers and IAM in which IAM users can create any roles and policies, thus is trusted developers, and Developers can only attach policies whose path is services-roles, for instance.
Example a role attached to Developers group - allow users create everything except all iam actions except PassRole with path service-roles:
DevelopersIAMManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: 'Developers.'
# Groups:
# - String
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: iam:PassRole
Resource: 'arn:aws:iam::*:role/projects-roles/*'
- Effect: Allow
NotAction: iam:*
Resource: '*'
I'm open to new ideas, but this solution is the most secure I've reached.
I want to grant vpc access for my lambda function. I use the following aws cli command.
aws lambda update-function-configuration \
--function-name SampleFunction \
--vpc-config SubnetIds=subnet-xxxx,SecurityGroupIds=sg-xxxx
But I receive the following error:
An error occurred (AccessDeniedException) when calling the
UpdateFunctionConfiguration operation: Your access has been denied by
EC2, please make sure your request credentials have permission to
DescribeSecurityGroups for sg-xxxx. EC2 Error Code:
UnauthorizedOperation. EC2 Error Message: You are not authorized to
perform this operation.
I have granted the following permission to both my lambda role and the user who execute the aws command.
- "ec2:CreateNetworkInterface"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DeleteNetworkInterface"
- "ec2:DescribeSecurityGroups"
I further tried to grant full access to both the lambda role and the user. But still received the same error
Can anyone suggest what else I can try?
The trick is to add the pipeline / worker role / user which is deploying the lambda function) have access to network related policies. The lambda function should itself suffice with managed policy - AWSLambdaVPCAccessExecutionRole
arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Action:
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
Effect: Allow
Resource: '*'
Your users IAM policy needs further permissions.
For example ec2:CreateSecurityGroup & etc. Have a look at this documentation to add requred permissions.
I experienced the same issue. Despite the IAM policy for the user having the required permissions, I could not use the aws cli to crate a lambda function with a VPC config (aws lambda create-function) or modify an existing function to add a VPC config (aws lambda update-function-configuration).
The only way I could get this to work was to create the lambda function without a VPC config. I then modified the function to add the VPC config information (vpc, subnet and security groups) via the AWS console (in Lambda > Fucntions > My Function > Network). I was only able to use the console to do this, introducing a manual step in an otherwise fully automated process.
To answer some of the questions above about which user needs the ec2:DescribeSecurityGroups and related permissions. It is the user running the cli command or logged in to the console. The function does not need a policy providing these permissions. The only special permissions needed for a function with a VPC config are:
ec2:CreateNetworkInterface
ec2:DescribeNetworkInterfaces
ec2:DeleteNetworkInterface
These allow the function to create ENIs within your VPC using the subnet and security group you provide as described here.
Both the Lambda funtion's role and the user role (either cloudformation or cmline user) must have:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
or ec2:* if ok for your use case'security
I had the same issue deploying a lambda with a VPC config using SAM/cloudformation and resolved it by adding this above.
on github issue some people say it is because of cloudformation order creation it is not (or maybe not anymore because I tested adding 20 dummy resource and still the same issue only resolved by adding the permissions above)
cheers,
Can someone explain to me the difference between an AWS Policy and an AWS Managed Policy in the context of Cloud Formation?
More specifically, I'm trying to define an auto scaling template where:
Each instance in an auto scale configuration is assigned an IAM Instance Role that has a policy.
The same policy is applied to the user when they try and access these instances.
I'm trying to keep duplication to a minimum and it seems like I may be able to achieve it via a Policy linked to a role, and group of users. The role can then be associated with EC2 Instance via instance profile and users can be added to the groups which in turn are assigned the policy.
Why and under what circumstances would one use a ManagedPolicy?
Thank you for your assistance.
EDIT: It seems like Role requires a policy document irrespective. So even having a separate policy won't really help? Or am I missing something?
AWS::IAM::Role only requires a trust policy. The Policy/Managed Policy can be defined separately.
The difference between AWS::IAM::ManagedPolicy and AWS::IAM::Policy is that AWS::IAM::ManagedPolicy does not require you to assign a Group, Role or User when defining it. AWS::IAM::Policy does. In your use case, you're probably fine using AWS::IAM::Policy.
If I may add, testing Policy creation using CDK v2.12.0, groups, users or roles are not required. iam.ManagedPolicy creates a policy you can share, iam.Policy is created as an inline policy.
new iam.Policy(this, 'testPolicy2', {
statements: policyDocs,
//groups: [s3UserGroup],
policyName: 'testPolicy2'
})
new iam.ManagedPolicy(this, 'testPolicy3', {
statements: policyDocs,
//groups: [s3UserGroup],
managedPolicyName: 'testPolicy3'
})