Attached graphic is a list of different access levels offered for a particular service. Is there any way I can use the AWS CLI to pull a list of all the different access levels for all different Amazon services?
This is an example picture from 'Alexa for Business' service.
The image you attached is AWS Console's visualization of some actions, these actions roughly maps to the API calls that you can make from the AWS CLI which you can list
AWS do maintain a document that list all Actions, Resources, and Condition Keys for all their services which I believe is what you want
Otherwise, can you clarify your question to show exactly what you want to get from the CLI?
What are the "Access Levels" you are referring to here?
Related
I'm trying to set up AWS IAM Identity Center (successor to AWS Single Sign-On) for my organisation, and my team has a strong preference for Infrastructure as Code (IaC) wherever practical.
While exploring solutions, I was able to set up an Instance with several Users, Groups and Permission Sets using the Management Console UI. However, now I have come to set up something more long-term, I can't find any way to create an Instance via either CloudFormation or the AWS CLI.
When looking for documentation, I found the CloudFormation reference for AWS SSO, as well as the AWS CLI reference for the sso-admin subcommand. Neither mention any operations that create instances. Neither does the AWS SSO API reference, which leads me to think programmatic access may not be possible.
Is it possible to create an Instance through code rather than the Management Console?
If it is possible, what have I missed?
I am looking for ways to automate the rotation of access keys (AWS credentials) for a set of users. There is a seperate process that creates the Access Keys. I need to be able to rotate the keys in an automated way. This link explains a way to do this for a specific user. How would I be able to achieve this for a list of users. Any thoughts or recommendations?
You can use AWS Config to mark the old access keys non-compliant (https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html) and then use CloudWatch Events (my article how to do this) to run a Lambda function that deletes the old key, creates a new one, then send it to the user.
Access keys are generally used for programmatic access by applications. If these applications are running in, says EC2, you should use roles for EC2. This will install temporary credentials on the instance that are automatically rotated for you. The AWS CLI and SDKs know how to automatically retrieve these credentials so you don't need to add them in the application either.
Other compute solutions (Lambda, ECS/EKS) also have ways to provision roles for applications.
I'm trying to find a way to list all services used on AWS account, having 1000s of accounts, I can't use cloud trail. Config only provides data on infrastructure like EC2, lambdas, RDSs, which is a fraction of what I need.
Is there an API or a way to make call preferably using an aggregator of some sort?
I would be interested in simple output like account, what services, when first consumed. Any suggestions?
Why do I need it? We let our app teams to consume number of services and they are gradually whitelisted to consume, we would like to understand how quick these are being utilized since whitelsited.
Have you had a look at your AWS bill? That would be a nice source of all the information as to what services were active on an account.
AWS provides the AWS Cost Explorer API which would permit you to do this programatically.
How to configure the credential to use AWS service from inside the EKS. I can not use AWS SDK for this specific purpose. I have mentioned a role with required permission in the yaml file but it does not seem like it is picking up the role.
ThankYou
Any help is appreciated.
Typically you'd want to apply some level of logic to allow the pods themselves to obtain IAM credentials from STS. AWS does not currently (its re:Invent now so you never know) provide a native-way to do this. The two community solutions we've implemented are:
kube2IAM: https://github.com/jtblin/kube2iam
kIAM: https://github.com/uswitch/kiam
Both work well in production/large environments in my experience. I prefer kIAM's security model, but both get the job done.
Essentially the work the same basic way ... intercepting (for lack of a better word) communications b/t the SDK libraries in the container and STS, matching identity of the pod with an internal role dictionary, and then obtaining STS credentials for that role and handing those creds back to the container. The SDK isn't inherently aware its in a container, its just doing what it does anywhere ... walking its access tree until it sees the need to obtain creds from STS and receiving those.
Can AWS IAM be used to control access for custom applications? I heavily rely on IAM for controlling access to AWS resources. I have a custom Python app that I would like to extend to work with IAM, but I can't find any references to this being done by anyone.
I've considered the same thing, and I think it's theoretically possible. The main issue is that there's no call available in IAM that determines if a particular call is allowed (SimulateCustomPolicy may work, but that doesn't seem to be its purpose so I'm not sure it would have the throughput to handle high volumes).
As a result, you'd have to write your own IAM policy evaluator for those custom calls. I don't think that's inherently a bad thing, since it's also something you'd have to build for any other policy-based system. And the IAM policy format seems reasonable enough to be used.
I guess the short answer is, yes, it's possible, with some work. And if you do it, please open source the code so the rest of us can use it.
The only way you can manage users, create roles and groups is if you have admin access. Power users can do everything but that.
You can create a group with all the privileges you want to grant and create a user with policies attached from the group created. Create a user strictly with only programmatic access, so the app can connect with access key ID and secure key from AWS CLI.
Normally, IAM can be used to create and manage AWS users and groups, and permissions to allow and deny their access to AWS resources.
If your Python app is somehow consuming or interfacing to any AWS resource as S3, then probably you might want to look into this.
connect-on-premise-python-application-with-aws
The Python application can be upload to an S3 bucket. The application is running on a server inside the on-premise data center of a company. The focus of this tutorial is on the connection made to AWS.
Consider placing API Gateway in front of your Python app's routes.
Then you could control access using IAM.