Should an IAM User say called User1 be given full access like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Could it also be used to create Amazon API calls? Is this a security risk or should I create another user just to access the Amazpn API Gateway?
You should never give an IAM user full privileges. So many things could go wrong, and yes it may very well be a security risk.
If you need to manage (create, configure, or deploy) your API in API Gateway with this IAM user, you can give the user this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
}
]
}
Or, if you only need to invoke the API, you can use this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}
Related
I have the following policy assigned to an IAM user which gives full permission to the billing.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"awsbillingconsole:*Billing",
"aws-portal:*Usage",
"awsbillingconsole:*Usage",
"aws-portal:*PaymentMethods",
"awsbillingconsole:*PaymentMethods",
"budgets:ViewBudget",
"budgets:ModifyBudget",
"cur:*",
"purchase-orders:*PurchaseOrders"
],
"Resource": "*"
}
]
}
This policy does not allow the user to modify the alternate billing contact. The alternative billing contact settings is found under the https://console.aws.amazon.com/billing/home?#/account. Is there anyway to achieve this without giving administrator permissions.
Try granting all aws-portal actions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "aws-portal:*",
"Resource": "*"
}
]
}
I am trying to invoke a lambda function from an API Gateway. I have followed the next tutorial: https://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-lambda.html
However, I get the following error when I test it from the web of API Gateway:
Execution failed due to configuration error: API Gateway does not have permission to assume the provided role
I have search in google and I have not been able to solve it (this, for instance).
If I go to the IAM Management Console, I can see that the trust relationship allows API Gateway to assume the rol, and the JSON of the trust relationship is the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
I have tried also with:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
The policy of the role is the next:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
}
What is wrong here? Thank you
To fix this go to the role in your IAM and select the “Trust Relationships” tab. From here edit the policy and for the Principal Service add in “apigateway.amazonaws.com” as seen below. This will grant the API Gateway the ability to assume roles to run your function in addition to the existing lambda permission.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
I guess you have not attached the role to the invoking method i.e the api gateway
Attaching the created role to the api gateway is needed for api to execute the lamda.
Under Execution role, choose Choose an existing role.
Enter the role ARN for the lambda_invoke_function_assume_apigw_role
role you created earlier.
Choose Save.
AWS Link
I have setup separate IAM users from the root account with various privilege levels and I need provide all EC2 services access for 2 specific instances to a particular IAM user
I used AWS policy generator and got the below policy but it doesn't work
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:ACCOUNT_ID:instance/INSTANCE_ID",
"arn:aws:ec2:us-east-1:ACCOUNT_ID:instance/INSTANCE_ID"
]
}
]
}
How can I grant permission to the specific instances so the IAM user can only manage those specific instances without accessing any other instances or services.
You can achieve this via Tags. As stated by the AWS Docs, you can try the below policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "Bob"
}
},
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
I need to create policy that would allow user to create spot requests, but with specific subnet and security group only. This is what I did:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:image/ami-*",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-af016c92",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-12a34d3c",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-f0e844cd",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-026ae728",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-b5dd94cd",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-3bda8c42"
]
}
]
}
But my spot request creation still fails:
botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation.
What is the minimum subset of permissions for RequestSpotInstances action?
Is there some possibility to debug this?
I know this is an old issue, but I just ran across the same issue in my environment. The solution for me was adding an IAM permission for "PassRole"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1479335761363",
"Action": [
"ec2:DescribeInstances",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*"
}]
}
According to the EC2 docs (here), ec2:RequestSpotInstances is an action which falls into the category of "Unsupported Resource-Level Permissions." Unfortunately, you will have to set the resource tag to all resources, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [ "*" ]
}
]
}
As far as debugging goes, don't forget about the IAM policy simulator, which can be accessed from the AWS Console => IAM => User page.
I know that you can set up an IAM policy to restrict access to services. However, is it possible to set up a policy to allow access to a part of a service.
E.g. I am two EC2 instances. I need to create two users such that they have an access to the AWS console, but only to one EC2 instance each.
Yes you can do this with Resource-Level Permissions for EC2
The structure of the resource is stated in the documentation as follows:
arn:aws:[service]:[region]:[account]:resourceType/resourcePath
Here is how you would structure the IAM policies for each user:
User 1
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdOne"
}
]
}
User 2
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdTwo"
}
]
}
Policy without access to EC2:DescribeInstance will not work. You need to allow DescribeInstances access on all resources and manage additional access like modify, delete to specific instances depending on what the need is.
In short, allow all basic operations like Describe Tags, Instances, NetworkACLs, Images etc to all users and allow specific destructive actions like Modify and Delete to select user.
List of EC2 actions for your reference here
http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html
So you have 2 options-
Create one policy like below and attach the same policy to both users
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*Describe*",
"Resource":"*",
},
{
"Effect": "Allow",
"Action": [
"ec2:*Modify*",
"ec2:*Delete*"
],
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
"Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
},
{
"Effect": "Allow",
"Action": [
"ec2:*Modify*",
"ec2:*Delete*"
],
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-2**" },
"Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdTwo**"
}
]}
Create 2 different policies. Example for one below
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*Describe*",
"Resource":"*",
},
{
"Effect": "Allow",
"Action": [
"ec2:*Modify*",
"ec2:*Delete*"
],
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
"Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
}
]}