I have the following IAM Role:
AmazonEC2FullAccess
Custom-Policy
In my custom policy I have:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/16"
}
}
}
]
}
Then I create a new EC2 instance and attach this role to it.
Inside the EC2 Instance I try to do:
aws iam list-roles
But I get this error:
An error occurred (AccessDenied) when calling the ListRoles operation:
User: arn:aws:sts::XXXXXXX:assumed-role/My-Role/i-XXXXXX is not
authorized to perform: iam:ListRoles on resource:
arn:aws:iam::XXXXXXX:role/
Do you have an idea why it's not working, please? thanks.
PS: The EC2 instance's IP is 10.0.0.XX
The IAM API lives on the Internet. Thus, when it receives your request, it will be coming from the IP address of the instance. IAM never sees the private IP address of the instance.
In theory, the IP address restriction should not be necessary because the role can only be used on instances where it has been assigned. You should put security on who can use the role (iam:PassRole), rather than from where the role can be used.
Related
I have deployed elastic beanstalk which has a role MyEBSRole in Account A. I would like to give this role access to Event Bridge in other account (Account B) (cross account). In Account B Event Bridge, I have added the following resource based policy:
{
"Sid": "mysid",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-A-ID>:role/MyEBSRole"
},
"Action": ["events:PutRule", "events:ListRules", "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:PutTargets", "events:RemoveTargets"],
"Resource": "arn:aws:events:<Region>:<Account-B-ID>:rule/*",
"Condition": {
"StringEqualsIfExists": {
"events:creatorAccount": "${aws:PrincipalAccount}"
}
}
}
But I am getting the following exception:
An error occurred (AccessDeniedException) when calling the ListRules operation: User: arn:aws:sts::<Account-A-ID>:assumed-role/MyEBSRole/i-0b68xxxxxxx is not authorized to perform: events:ListRules on resource: arn:aws:events:<Region>:<Account-B-ID>:rule/*
If I replace the principal in resource based policy to this:
"Principal": {
"AWS": "arn:aws:iam::<Account-A-ID>:root"
}
Then I am able to get result via cloud shell, but with Elastic beanstalk it is still not working.
I also tried with arn:aws:sts::<Account-A-ID>:assumed-role/MyEBSRole/i-0b68xxxxxxx in principal but it also does not work.
Could anyone please, indicate what is wrong or missing there? Thank you.
I am trying to connect my EC2 instance to my ES domain and keep getting the following error:
AuthorizationException(403, 'security_exception', 'no permissions for [indices:data/read/search] and User [name=arn:aws:iam::ACCOUNT_ID:role/my-role, backend_roles=[arn:aws:iam::ACCOUNT_ID:role/my-role], requestedTenant=null]')
Elasticsearch configuration:
public domain
fine-grained access control via IAM
access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_ID:role/my-role"
},
"Action": "es:*",
"Resource": "arn:aws:es:REGION:ACCOUNT_ID:domain/test/*"
}
]
}
EC2 Configuration:
using IAM role my-role
with permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"es:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
All HTTP requests sent from EC2 to ES are being signed. I have already verified signing works: if I use the security credentials of the IAM user that I also set as the IAM ARN master user when setting up my ES domain the requests between EC2 and ES work as expected.
The issue might be with fine-grained access control in ES. Same issue is mentioned here
If you want to connect to same ES cluster with FGAC from EC2 instance then you need to map EC2 IAM role with backend kibana roles. First you need to login to kibana with master user and then follow steps from doc to map EC2 IAM role to kibana 'all_access' role
I'm restricting bucket access to my VPC Endpoints, I have a bucket say test-bucket which is in Dev account, I have added the below policy to enable the access to be restricted to only the VPC Endpoints:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Access From Dev, QA Account",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::x:root",
"arn:aws:iam::y:root",
]
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": [
"vpce-1234",
"vpce-1235"
]
}
}
}
All the instances from the Dev account are able to access the object via wget and AWS CLI, the problem arises when I access from the instances from the QA account I'm able to wget the object but not able to access via AWS CLI, getting the below error:
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
Though I have added the VPC Endpoint with respect to the QA account in the S3 bucket policy.
If I remove the action to deny and remove VPC Endpoint rules from the bucket policy, then I'm able to access from QA account instances as there are IAM roles defined for it. My question is when I restrict the access via VPC Endpoint why I'm not able to access from QA account instances?
The accounts are from the same region.
Ok finally found the answer, needed to allow the role defined in the QA account, for the awscli access to take place. Added the below lines to the bucket policy.
{
"Sid": "Allow QA role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::y:role/s3-access"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
]
}
Requirement: To restrict IAM user from creating VPC with dedicated tenancy. IAM user should only be able to create VPC with default tenancy.
IAM Policy Attached to IAM User:
{
"Sid": "limitedTenancyVpc",
"Effect": "Deny",
"Action": "ec2:CreateVpc",
"Resource": "arn:aws:ec2:*:*:vpc/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:Tenancy": [
"default"
]
}
}
}
I know that for VPC InstanceTenancy is keyword to be used. I tried with it in condition, however it's not working. IAM user with this policy attached is able to create VPC with dedicated tenancy.
Please suggest.
It is not possible to restrict this as there is no condition associated with ec2:CreateVPC action. See the list of available EC2 conditions keys.
However, ec2:tenancy condition is available for ec2:runInstances. So you can instead deny requests to launch instances with dedicated tenancy as a guardrail.
There are 3 different tenancy types: default, dedicated and host. Deny requests if tenancy is set to either host or dedicated.
{
"Sid": "limitedTenancyVpc",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:Tenancy": [
"host",
"dedicated"
]
}
}
}
I want to allow a script running on my EC2 instance to indicate when it is healthy to the autoscaling group. To do so, I can run the following from my script:
aws --region $AWSREGION \
autoscaling \
set-instance-health \
--instance-id $(curl http://169.254.169.254/latest/meta-data/instance-id) \
--health-status Unhealthy
Before granting any special permissions to the IAM role, I get the following error (as I'd expect):
An error occurred (AccessDenied) when calling the SetInstanceHealth operation: User: arn:aws:sts::ACCOUNTID:assumed-role/ROLENAME/i-INSTANCEID is not authorized to perform: autoscaling:SetInstanceHealth
I could add the following statement to my IAM role to get around this:
{
"Action": [
"autoscaling:SetInstanceHealth"
],
"Effect": "Allow",
"Resource": "*"
}
But wouldn't that allow instances in this role to set instance health on all instances (assuming they know the instance id)? I wouldn't want one compromised instance being able to take others out of their own ASGs.
The Supported Resource-Level Permissions documentation lists Auto Scaling group in the Resource ARN column, indicating you can restrict autoscaling:SetInstanceHealth by Resource.
The IAM Policy Simulator disagrees:
This action does not support resource-level permissions
... but I've verified the following IAM policy permits finding members of auto-scaling groups, checking their CloudWatch metrics, and then setting instance health of members of only one auto-scaling group:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:SetInstanceHealth"
],
"Resource": "arn:aws:autoscaling:REGION:ACCOUNT:autoScalingGroup:UUID:autoScalingGroupName/NAME"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}