While creating Users in Cloud. In IAM, Password policy. If you set password policy in inner sub user then it affects to parent user as well.
How is it possible ?
Example . I created user called xyz under root. I will login in xyz and change the password policy. But it affects Root user password policy as well.
The password policy that you set is for the account, not for a specific user and not for a group of users. It applies to the passwords of all IAM users. It does not apply to the AWS root account password.
Related
I lost access to my AWS account due to loss of my phone with Authenticator app, but I still have access to console. The problem is that somehow the phone number in my account was incorrect and I can't restore access automatically. Support said there is a typo in number and if I have another user with full access, I will be able to change it to correct number and proceed to restore my account via MFA troubleshooting form.
So, the question is how to create that user?
I already did this:
aws iam create-login-profile --user-name VeryAdmin --password verypassword
aws iam add-user-to-group --user-name VeryAdmin --group admin
And successfully logged in to console, but still has no access to changing the number. The article in documentation said that the user should have access to this:
The IAM user enabled on the AWS account has administrator access permission.
The IAM user has access to the AWS Billing console.
No idea how to correctly add them via CLI
Unfortunately to change any details belonging to your account you will need to be logged in as root user:
Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and AWS Regions, don't require root user credentials
https://docs.aws.amazon.com/accounts/latest/reference/root-user-tasks.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html
According to the Documentation: Granting permissions to multiple accounts with added conditions it is possible to create with the entry:
Principal": {"AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]}
just access for all the users inside this account. But unfortunately it is not working. When putting single users there the access for that User from that different account is working. But with all and the root option is does not work.
But with all and the root option is does not work.
This is because the admins of these accounts also have to add permissions to IAM users/roles to access the bucket. In other words, adding arn:aws:iam::111122223333:root to a bucket policy is not enough. The individual IAM users or roles from 111122223333 also need IAM permissions to access the bucket.
As an Admin user, I have created an IAM user with some restricted accesses for testing purposes.
So, when I login with the IAM user, I don't have access to unauthorized services as expected but I've noticed that I can create and remove IAM users, even if I didn't created them by myself.
So, I have three questions:
Why an IAM have the ability to remove other users?
And how can I prevent this?
When an IAM user create "sub IAM users", do these "sub users" inherit from his unauthorizations?
1) Why an IAM have the ability to remove other users?
Am IAM user is just another user of your AWS account. It appears you gave the new IAM user the permissions to create, modify, or delete other IAM user accounts.
2) And how can I prevent this ?
You need to review the IAM policies and roles assigned to the new IAM user and remove the permissions you don't want them to have. Please post the exact IAM roles and policies you have assigned to the user if you need help with this.
3) When an IAM user create "sub IAM users", do these "sub users"
inherit from his unauthorizations ?
There is no such thing as "sub users". A user is not in any way tied to the user that created them.
A user is granted the ability to create a user by virtue of the permissions granted to the first user. If you attach a policy to the second her that also grants the ability to create users that second will have permission to do so. There is a feature that allows you to grant a user the permission to create other uses whilst limiting the permissions of the second user. The feature is called Permission boundaries. By using this you can allow a user to create other users but limit what permissions that other user can grant.
There is no concept of "sub-IAM users." An IAM user is an IAM user. The user has permissions to create other IAM users because you haven't denied the iam:* policies. You said you "created an IAM user with some restricted accesses for testing purposes." Without seeing the user it's not possible to know what permissions you have granted, but you must have allowed IAM permissions. To prevent the user from creating other users, do not attach policies that allow the iam:CreateUser permission.
Yes you're right an IAM user shouldn't have the ability to manage other users. AWS has policies for this like if you want other users to give access to all services you can create a group and attach PowerUserAccessPolicy to that group. Users with PowerUserAccess wouldn't be able to manage groups and other IAM users. Further, if you want to restrict admin users access to manage other IAM users you can create custom policy to deny this affect using an inline policy.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
Any IAM user can't be called as "sub-user", as all users can be said to have the same level.When any IAM user is associated the policies for IAM operations such as create, update, delete, that user can perform such IAM operations for new or existing users.
I'm trying to achieve the following:
I have a web application that needs different user permissions for some menus and calls to the API gateway.
I have done the following:
- Set up a user pool with 2 groups ( Group 1 and Group 2 )
- Assigned users to those groups
- Set up 2 policies ( Policy 1 and Policy 2, where policy 1 is the default policy in authenticated role in fed. identites)
- Set up the correct trust policies in the roles
- In federated identities, under authentication providers, I have set authenticated role selection to choose role from token
On the front, I have decoded the ID token and verified that the cognito:groups etc are correct when initialising a login.
So group 1 is the looser policy allowing everything, and policy 2 is the stricter policy that should not allow calls to a certain resource in API gateway.
But when I assign a user to a group 2 which has the stricter Policy 2, the user still seems to use the policy 1 which allows everything. What am I doing wrong here?
I have the same problem as this thread and done exactly what it says but still no progress
Check the role assigned to the user group has a trust relationship. It needs this so it can assume the role of the federated identity provider.
You can build an appropriate role for the User pool groups role by doing this:
Open AWS console
Get to IAM section
Pick roles
Pick web identity
Choose Amazon Cognito
Paste in your Identity pool id (the federated one)
Click next
Now add/create policies you need for the user group, like S3 access, or whatever.
Give the role a name and save it.
Go to your User Pool group, edit it and assign the role just created.
Open the Federated Identity
Set the Authenticated role selection dropbox to Choose role from token
Optionally set Role resolution to DENY
References:
Fine grained auth
Role based access control
This may be a silly question, but have you assigned an IAM Role to the Cognito User Pools Group?
Further, I would opt for a more restrictive policy precedence. You should apply "normal user" policies as the Authenticated Role and more "admin user" policies as roles to be assumed by users belonging to specific groups.
Similar to:
Group: Admins (Policy A attached) (Precedence 0)
Group: Users (Policy B attached) (Precedence 10)
Authenticated Role: Policy B
I have secret key and access key of one root account, can i find the username and password for the same
This is not possible:
You can retrieve the username for a regular IAM user based on its IAM user credentials by means of the AWS CLI's get-user command for example:
Retrieves information about the specified user, including the user's
creation date, path, unique ID, and ARN.
If you do not specify a user name, IAM determines the user name
implicitly based on the AWS access key ID used to sign the request.
However, when used with root account credentials, it returns the AWS account id or alias, rather than the email address that comprises the root user name.
Furthermore, retrieving the password is not possible in the first place for both types of principals, as it should be with any kind of security sensitive service - it will only be shown once on creation for regular IAM users and resetting requires assistance by another account user with IAM privileges; resetting the root account password requires following the resp. password recovery process for the root account accordingly, i.e. interaction with the AWS account management backend/staff.