I would like to delete an AWS IoT Button added to the AWS IoT Resources page at https://console.aws.amazon.com/iot/home?region=us-east-1#/dashboard
But when I check the button name and select Action Delete, I get error message
"The action failed because the input is not valid. Cannot delete. Thing AWS-iot-button-01 is still attached to one or more principals".
I'm not able to delete any policy or certs. But I have been able to revoke them.
Related
I want to create an ECS service with ELB ('create new' option) and EC2 as backend. I am using AWS console and I amusing Frankfurt region.
When I click 'Create' button on the console, nothing happens! I cannot see any errors.
I tried the above with admin rights and even with the root account (!).
When I remove ELB, clicking 'Create' operates properly and the service is created.
I'm trying to create an AWS Control Tower landing zone for my AWS organization, and am getting a message saying You must unsubscribe your organization from AWS CloudTrail so that AWS Control Tower can proceed. During the setup process, AWS Control Tower creates a new trail in the audit account that's part of your landing zone. How do I do this? Does this mean stopping all CloudTrail trails from sending logs, or is there an organization-wide setting to disable?
AWS Control Tower needs trusted access to be disabled for both Cloudtrail and Config. To disable this you need to login into the Organization management account, and go to AWS Organizations > Services > Disable Config/Cloudtrail.
Trusted access enabled at an Organization level enables these services to inject service roles in all member accounts where they need to change something. Disabling this for Cloudtrail would result in the Organization trail not working anymore, however the master trail would still be intact. All shadow trails in member accounts would be disabled. AWS still allows you to search/filter/download cloudtrail management events in each of the member accounts for last 90 days, just that they wouldn't be transferred to a central s3 bucket for storage.
Depending on which page I create a subscription for a SNS topic to a SQS queue (both belonging to the same account) from within the AWS console, I notice a difference in how SQS policy for the queue is updated.
When I initially created the subscription from the SNS topic page in
the console, the queue's access policy did not get updated.
When I created the policy from SQS queue's page, I see the queue policy is
updated automatically allowing "SQS:SendMessage" from the SNS topic
ARN.
Is the difference in behavior between these two use cases intentional? Is there a reason behind why creating the subscription from SNS topic page does not update the permission automatically?
I don't think there is any specially reason for that. Its just inconsistencies in how AWS Console works. In fact, there is plenty of such inconsistencies in AWS Console.
The most basic example of that is when you delete a resource. Some resources will just delete without asking anything, others will force you to write "delete", others "delete me", or "permanently delete", or write "resource-name" or confirm something else.
AWS has redesigned the SQS console experience few days or a week before. I am not able to find the Permissions tab in the new version. Could anyone please share the screenshots how to navigate?
To access the Access Policy:
Click on the queue
Go to the Access policy tab
Click Edit
You will need to edit the policy in JSON. I think there was previously a simpler way to add permissions, but that method simply modified the policy. Now you need to edit the policy manually.
You can use the AWS Policy Generator to help construct a policy.
Looks like when first creating the queue in the new console, it has a wizard that lets you add other AWS accounts, IAM roles/users - but after the initial queue creation, if you go to edit the queue, that wizard isn't there.
I am trying to add notification action in cloud watch through service catalog, I created new SNS topic and refer the topic in cloud watch actions section it failed, and also when ever I am creating cloud watch action through service catalog it ask me to enable IAM to make action even though I manually created alarm to stop an EC2 instance.