Allow power users on AWS to manage their passwords and keys - amazon-web-services

I created users with poweruser policy on AWS. The policy is
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
Now, following documentation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-credentials) I have create custom policy that should allow user to manage their own passwords and keys:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
I am still getting and error
User: arn:aws:iam::1234567890:user/student is not authorized to perform: iam:CreateLoginProfile on resource: user student. Simulation gives explicit deny error, which is not the case according to these policies.

See below in the code where it says account-id-without-hyphens replace that with your account number and it will work.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}

Related

The IAM role arn:aws:iam::XXXXXXXXXXXX:role/XXXXXXXXXXXX isn't authorized to call s3:DeleteObject on the S3 bucket XXXXXXXXXXXX-XXXX-XXXX

Can someone please help with the following error on AWS RDS Export of database.
I am getting the following error:
Your request to export snapshot to S3 has failed.
The IAM role arn:aws:iam::XXXXXXXXXXXX:role/XXXXXXXXXXXX isn't authorized to call s3:DeleteObject on the S3 bucket XXXXXXXXXXXX-XXXX-XXXX.
My Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExportPolicy",
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:ListBucket",
"s3:GetObject",
"s3:GetObject*",
"s3:DeleteObject",
"s3:DeleteObject*",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::My-bucket",
"arn:aws:s3:::My-bucket/export/*"
]
}
]
}
My Role
Trust relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"export.rds.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Could you please try the following. It seems to be working.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExportPolicy",
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:ListBucket",
"s3:GetObject*",
"s3:DeleteObject*",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}

AWS: IAM Policy to Add User To specific Group

I'm trying to set up a policy for a Group ("TheGroup") that when attached to a User would allow that user to Create new Users AND assign them to another specific group ("TheSubGroup").
I believe I have the CreateUser part mostly done but I'm not sure of syntax for how to also allow this user to AddUserToGroup("TheSubGroup") in the second part of the policy below.
Any thoughts?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ManageUsersPermissions",
"Effect": "Allow",
"Action": [
"iam:ChangePasword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:DeleteUser",
"iam:UpdateAccessKey",
"iam:ListAttachedUserPolicies",
"iam:ListPolicies",
"iam:ListUserPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:GetPolicy",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "LimitedGroupAssignment",
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::1234567890:group/TheSubGroup"
]
}
}
}
]
}
The AddUserToGroup action applies to group resources. Try targeting the group resource:
{
"Sid": "LimitedGroupAssignment",
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup"
],
"Resource": "arn:aws:iam::1234567890:group/TheSubGroup"
}

codedeploy unable to access s3

I have a codepipeline on Account A and codedeployment group on Account B. I'm seeing the below error once the codedeployment group start the trigger
The IAM role arn:aws:iam::accountb:role/testcrss does not give you permission to perform operations in the following AWS service: Amazon S3. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies.
I was referring to this document provided by aws for aws cross-account deployment using codepipeline, do I need to configure anything other than the info provided in the document?
policies attached to testcrss role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-2:AccountA:key/valuetest"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::AccountA bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::AccountA bucket"
]
}
]
}
Bucket policy on Account A
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::AccountAbucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyInsecureConnections",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::AccountAbucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::AccountAbucket/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::AccountAbucket"
},
{
"Sid": "Cross-account permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:role/testcrss"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::AccountAbucket/*"
}
]
}
Trust Relationship for Role testcrss
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
The issue was the KMS key which was added to Account B was incorrect, this key is required to access the s3 bucket on Account A.
KMS key should be the same as the KMS key attached to the codepipeline on Account A

Create AWS Access Policy to Only 1 S3 Bucket

I'm trying to create a policy that allows access to only 1 bucket for our clients' WordPress backups using BackWPUp
This is after noticing that the default S3 Full Access policy allows full access to ALL buckets!
I tried following this article here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket-console.html
The policy looks like this (replaced the bucket name to an appropriate one) and it's not working:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConsoleAccess",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
Receiving Error: S3 Service API: Access Denied
Then, I tried a simplified version:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PolicyID",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
Still no luck, with the same error. Any ideas? What am I missing?
Turns out I needed s3:ListBucketMultipartUploads and s3:GetBucketLocation to get it working properly.
Final version below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": "s3:*"
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}

I am trying to set-up MFA for an AWS user in the organization

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1506369084151",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::account_#:user/user_name"
}
]
}
I have this above policy which should enable users to set-up MFA by themselves.
However, when I test this policy (by logging in as one of the users, I am not able to perform the desired action)
What am I missing in the policy snippet?
PS: The policy is attached to the user I try to log-in as. So this silly mistake is ruled out.
This works for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEnableResyncDeleteListMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "AllowDeactivateMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}