I have been looking information about this question, but I can't find the answerd. Do you know a simple way using AWS command line tools to map an AWS_KEY id to a specific IAM user?. The idea is to know in some old legacy EC2 boxes who is using an identity in order to revoke unused ones. For example:
AWS_KEY=AKAFERE12aseDesa3er11A -> belong to "user1"
There's no direct one-to-one mapping to allow you to do this. You'll probably need to call list-users to get a list of all the users associated with the AWS account, and for each user that's returned you'll need to call list-access-keys to get their keys and look for the one you're interested in.
Related
I am looking for ways to automate the rotation of access keys (AWS credentials) for a set of users. There is a seperate process that creates the Access Keys. I need to be able to rotate the keys in an automated way. This link explains a way to do this for a specific user. How would I be able to achieve this for a list of users. Any thoughts or recommendations?
You can use AWS Config to mark the old access keys non-compliant (https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html) and then use CloudWatch Events (my article how to do this) to run a Lambda function that deletes the old key, creates a new one, then send it to the user.
Access keys are generally used for programmatic access by applications. If these applications are running in, says EC2, you should use roles for EC2. This will install temporary credentials on the instance that are automatically rotated for you. The AWS CLI and SDKs know how to automatically retrieve these credentials so you don't need to add them in the application either.
Other compute solutions (Lambda, ECS/EKS) also have ways to provision roles for applications.
Is there way to check which permissions or roles are associated with a specific AWS access key?
The problem is that I got a pair of keys working but they are not present in the AWS console. These key are used regularly from some internal process but I cannot find which one.
If I search for them in the console they don't appear and neither on the root account.
You can search for the user by Access key ID in the AWS console.
See this blog post for details and screenshots:
https://aws.amazon.com/blogs/security/introducing-iam-console-search/
Don't forget, that according to the blog post
... you must type the full access key ID when searching.
In the end I wasn't able to get the roles or policies associate with a specific user, but I was able to track down the user.
So the user was using the root credentials and since I am using a normal full administrator account I wasn't able to see these creds even on the console
Pretty scary thing :|
Given the input of just an AWS Access Key and an AWS Secret Key, how can I use the AWS SDK to lookup what kind of permissions that the account can do?
I want do XYZ for a customer so the customer needs to give the access key and secret key to me to perform XYZ programmatically. However, before trying to do any of those actions, I'd like to verify that the credentials they gave me have access to certain privileges, such as being able to create S3 objects or being able to launch an EC2 instance.
That way, I can validate if the access key and secret key has permission to do something before I do it on their behalf.
You can use the SimulatePrincipalPolicy API to simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.
The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to.
You'll need to provide the "SimulatePrincipalPolicy" API with that user's ARN as the PolicySourceArn input parameter (no need to use the optional CallerArn input parameter). If you have the access key ID and secret access key, you can retrieve the user's ARN by calling the GetUser API using that user credentials, i.e., without specifying the UserName input parameter. If no user name is included, the GetUser API defaults to the user making the request.
I would suggest using the AWS CLI for the purpose and making use of the --dry-run flag for the CLI commands. I am unsure of how many AWS CLI operations support the --dry-run operation not to mention the Tag level / Resource level restrictions.
The --dry-run flag would try to check if you have permission to run the API or not without actually performing the request.
I also see the difficulty of testing (regression) as AWS has 60+ services and EC2 alone has 227 API commands [as of today]. Perhaps this might be the place where you would use your sed, awk, grep to build a shell script [and publish it in GITHUB]
SDKs do support this as well - it might be easier than the CLI approach
In the Amazon Key Management Service there is away to list grants on a Customer Master Key. This returns a list of GrantListEntry objects. Each one has a getGranteePrincipal() method which returns a string simmilar to AIDAJBVZPN4EIJ44R7AZM. This is supposed to map to the user/role for which this grant is relevant however, I cannot figure out how to map this string to a user. It is not their IAM key or ARN. Is there any way to correlate this string to the original user?
You are most likely looking at the Unique ID:
When IAM creates a user, group, role, policy, instance profile, or
server certificate, it assigns to each entity a unique ID that looks
like the following example:
AIDAJQABLZS4A3QDU576Q
For the most part, you use friendly names and ARNs when you work with
IAM entities, so you don't need to know the unique ID for a specific
entity. However, the unique ID can sometimes be useful when it isn't
practical to use friendly names.
As mentioned in the last paragraph (and further outlined in the referenced documentation), the unique ID is usually hidden away in favor of friendly names, but required to guarantee uniqueness when users leave the organization and another one with the same friendly name might join for example.
The other provided example seems to explain the scenario at hand (and also applies to your own use case apparently):
Another example where user IDs can be useful is if you maintain your own database (or other store) of IAM user information. The unique ID can provide a unique identifier for each IAM user you create, even if over time you have IAM users that reuse a name, as in the previous example.
Getting the Unique ID
As outlined in the resp. section, the unique ID for an IAM entity is not available in the IAM console. However, you can get it using AWS CLI commands or IAM API calls, e.g. for a user:
get-user (AWS CLI)
GetUser (IAM API)
Unfortunately it doesn't seem to be possible to search for it directly though, so you would need to iterate over all users and retrieve it individually in order to generate the desired mapping.
If you happen to generate your users/roles programmatically, the unique ID is returned by the resp. calls right away at least, see e.g. CreateUser.
I have an app where users are required to enter in a set of AWS credentials with a specific set of permissions. I'd like to verify the credentials when they are entered in to make sure they have the required set of user policies on them.
Is there a way I can retrieve the user policies for those credentials?
Yes, if they gave you creds that are allowed to do an IAM call. You can list all their IAM users, then find the one IAM user with your key, and then read the permissions for that user. But this requires parsing the IAM permissions language, which is a little complex.
The other way to do it is make a sample call for anything you want to verify (i.e. list S3 bucket, etc.) It's probably better to validate just one or two calls than try to validate every possible call. Yes, you're likely to run into errors down the road if you're missing some permissions, but it's much more likely that they made a typo or gave you the wrong creds than they gave you partial creds.
The other thing you could consider: If they give you full creds, you could create an IAM user with just the creds you need, an use those creds. Everything in IAM has an API, so it's possible.