Policy used :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:*AccessKey*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::account#:user/user1"
]
}
]
}
What does the policy do :
Allows user to change to manage his own access keys .
What have I tried till now
Attached the above policy to the user
Tried logging with the user name and clicked on IAM and clicked on rotate your access keys and manage your access keys .
The error message comes up and doesnt allow the user to change the access keys
Error message is as follows:
You need permissions
You do not have the permission required to perform this operation. Ask your administrator to add permissions. Learn more
User: arn:aws:iam::account#:user/user1 is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::account#:user/
You need to allow IAM iam:ListUsers actions on the * resource. The error message indicates missing permission for that action.
See: Allow a User to List the Account's Groups, Users, Policies, and More for Reporting Purposes
There it provides a sample policy to: "Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys".
The following policy allows users to perform these actions in the AWS Management Console:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
Related
I am trying to create an SCP policy to disallow creation of iam user in member accounts other than Admin (assumed role with SSO), however its not letting even the admin create the user, below is the policy I am using,
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:DeleteUser"
],
"Resource": [
"*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:sts::*:assumed-role/AWSReservedSSO_AWSAdministratorAccess*/*"
]
}
}
}
]
}
Not sure what's wrong in it, please help
The PrincipalArn should be:
arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess*
To get an valid ARN for SSO assumed roles, you need to change arn:aws:sts::*:assumed-role by arn:aws:iam::*:role.
Additionally, this represents the SSO group, so you do not need to add /* after the group name. So the following ARN is incorrect and will not work:
arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess*
Reference:
Implement service control policy (SCP) for accounts in AWS Organizations
I have created an IAM user in my AWS account. IAM user requires permission to access Amazon data Lifecycle Manager. I had given the following permissions to the IAM user
AmazonEC2FullAccess,
AWSDataLifecycleManagerServiceRole
and AWSDataLifecycleManagerServiceRoleForAMIManagement.
But when I tried to access Amazon Data Lifecycle Manager with this IAM user account, I get this following statement on the lifecycle manager page
It is taking a bit longer than usual to fetch your data.
(The page keepy on loading for a longer period of time)
This message doesn't appear when I tried to access the same page with the same IAM user but this time with Administrator-Access.
Can somebody please let me know what's going wrong here, because I want to grant limited permission for my IAM user to manage my AWS resources.
The policies that you mencioned does not include permissions to access Data Lifecycle Manager.
This is another service that is not included on EC2 (this is why AmazonEC2FullAccess does not give you permissions). Additionally, AWSDataLifecycleManagerServiceRole and AWSDataLifecycleManagerServiceRoleForAMIManagement are managed policies to allow AWS Data Lifecycle Manager itself to take actions on AWS resources. So these policies should not be applied to IAM Users.
You need to create a custom IAM Policy with the proper permissions. In case of read only you can use this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DataLifecycleManagerRead",
"Effect": "Allow",
"Action": [
"dlm:Get*",
"dlm:List*"
],
"Resource": "*"
}
]
}
UPDATE
To create policies through web console, some additional permissions are required because the web shows more information to help during creation process. So in order to have enough permissions to create policies via web use this (some of these are referenced on documentation but seems to be incomplete):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dlm:*",
"iam:GetRole",
"ec2:DescribeTags",
"iam:ListRoles",
"iam:PassRole",
"iam:CreateRole",
"iam:AttachRolePolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:DeleteSnapshot",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:EnableFastSnapshotRestores",
"ec2:DescribeFastSnapshotRestores",
"ec2:DisableFastSnapshotRestores",
"ec2:CopySnapshot",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeSnapshotAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*::snapshot/*"
},
{
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:DeleteRule",
"events:DescribeRule",
"events:EnableRule",
"events:DisableRule",
"events:ListTargetsByRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "arn:aws:events:*:*:rule/AwsDataLifecycleRule.managed-cwe.*"
}
]
}
I use root user to create bucket call xxx, I also create IAM user. When I login by IAM user, I access S3 and see error:
You don't have permissions to list buckets
After you or your AWS administrator have updated your permissions to allow the s3:ListAllMyBuckets action, refresh this page. Learn more about Identity and access management in Amazon S3
I try create policy like below on IAM and attach for my IAM user. But I still have error? Why IAM user can not access s3. I also add AmazonS3FullAccess permission for IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::*/*",
"arn:aws:s3:::xxx"
]
}
]
}
I has the same error because i forget to add the administrators a group user by signing in as a root user email, then sign as iam , it should be good to go.
Invalid Action: The action s3:ListObjects does not exist. Did you mean s3:ListBucket? The API called ListObjects authorizes against the IAM action s3:ListBucket.
Getting error for policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3fileAccess",
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:ListObjects",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::files-*",
"arn:aws:s3:::log-files-*"
]
}
]
}
That's correct, ListBucket "Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)". There is a different permission to list the buckets (ListAllMyBuckets). These names are a little odd, and I suspect it's a legacy issue, given that S3 was the first generally available service.
You can find all the permissions here: Actions, resources, and condition keys for AWS services
I have some question about IAM permissions. I have IAM User. who has such minimal permissions
1) For IAM:
{
"Version": "2010-12-14",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ChangePassword"
],
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
}
]
}
2) For S3
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1234567890123",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"*"
]
}
]
}
And I need to write some Api, using Java SDK, which be ablle to check if user has this minimal permissions, but on this level of access, I can not get my own permissions, policies, roles. It is possible to do so with this level of access?
Using AWS java sdk you can get IAM permissions of yours and other IAM users. But you need to have required AWS resource permission.
For ex http://docs.aws.amazon.com/cli/latest/reference/iam/list-user-policies.html
To list other user policies you should have IAM:list-user-policies.
Likewise whatever AWS resources you try to access require permissions to query the resource. Your permissions can be set directly to you in permissions or role with permissions have been assigned to you.
I had an issue with identifying IAM user permission and I had to write an API that had to be responsible for that. So used AWS java SDK, IAM module, where such ability had already presented. I used simulatePrincipalPolicy request