I follow this link documentation
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#ex5
I want to provide a user specific Image Launch permission which specified tag, "department=dev".
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region::image/ami-*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/department": "dev"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region:account:instance/*",
"arn:aws:ec2:region:account:volume/*",
"arn:aws:ec2:region:account:key-pair/project_keypair",
"arn:aws:ec2:region:account:security-group/sg-1a2b3c4d"
]
}
]
}
I also added a separated Describe police because i am using interface not cli .
But when i launch instances its show initialization failed and stop . I decode the error message and it provide me
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"it
ems\":[]},\"context\":{\"principal\":{\"id\":\"AIDAJXOEQNA64A677DGQO\",\"name\":\"DevOps1\",\"arn\":\"arn:aws:iam::95524
6940111:user/DevOps1\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:955246940111:network-interf
ace/*\",\"conditions\":{\"items\":[{\"key\":\"ec2:Subnet\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:955
246940111:subnet/subnet-9d25b5b6\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"ke
y\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-1c\"}]}},{\"key\":\"ec2:Vpc\",\"values\":{\"ite
ms\":[{\"value\":\"arn:aws:ec2:us-east-1:955246940111:vpc/vpc-ebeed48e\"}]}}]}}}"
Please help
Try adding
"arn:aws:ec2:us-east-1:955246940111:network-interface/*"
to the resource list in the policy.
That's what the decoded auth message is reporting as missing/wrong.
Also make sure you replace any instances of region and account with the actual values in your policy, assuming you haven't already.
Related
I am following this guide, but it is not working, my requirement is to assign a "Permission Set" for example "Support User" to one specific OU containing several accounts in AWS Organizations
but I don't see the example from AWS working, is there a way without using Tags ? And only allow specific stuff for my permission set to a specific OU?
for example?
My SSO instance:
arn:aws:sso:::instance/ssoins-722XXXXXXXX85
my specific ou in AWS Org:
arn:aws:organizations::662XXXXXX94:ou/o-akoxg86wr1/ou-xlq4-vhybzk32
source:
AWS-SSO-org
any pointers? Thanks a lot
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegatedOUAdmin",
"Effect": "Allow",
"Action": [
"sso:ProvisionPermissionSet",
"sso:CreateAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:UpdateInstanceAccessControlAttributeConfiguration",
"sso:PutInlinePolicyToPermissionSet",
"sso:DeleteAccountAssignment",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreatePermissionSet",
"sso:UpdatePermissionSet",
"sso:CreateInstanceAccessControlAttributeConfiguration",
"sso:DeleteInstanceAccessControlAttributeConfiguration",
"sso:ProvisionApplicationInstanceForAWSAccount"
],
"Resource": "arn:aws:sso:::permissionSet/*/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Environment": "Development",
"aws:ResourceTag/OU": "Test"
}
}
},
{
"Sid": "Instance",
"Effect": "Allow",
"Action": [
"sso:ProvisionPermissionSet",
"sso:CreateAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:UpdateInstanceAccessControlAttributeConfiguration",
"sso:PutInlinePolicyToPermissionSet",
"sso:DeleteAccountAssignment",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreatePermissionSet",
"sso:UpdatePermissionSet",
"sso:CreateInstanceAccessControlAttributeConfiguration",
"sso:DeleteInstanceAccessControlAttributeConfiguration",
"sso:ProvisionApplicationInstanceForAWSAccount"
],
"Resource": [
"arn:aws:sso:::instance/ssoins-722XXXXXXXX85",
"arn:aws:organizations::662XXXXXX94:ou/o-akoxg86wr1/ou-xlq4-vhybzk32"
]
}
}
]
} enter code here
We are using AWS MediaConverter to convert videos to mp4 format. But MediaConvrter is giving this error in the job:
Unable to write to output file [s3://{path_to_file}]: [Failed to write data: Access Denied]
Obviously, MediaConverter doesn't have write access to bucker, but I don't know how to give them to it.
We have following policy for S3:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{CloudFront-origin}"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::{S3-bucket}/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{role-for-our-API}",
"arn:aws:iam::{MediaConverter-role}"
]
},
"Action": "*",
"Resource": "arn:aws:s3:::{S3-bucket}/*"
}
]
}
Our ACL gives Write, List permission only for Bucket Owner. Previously everyone could List and Write objects and MediaConverter worked, but we found this we could not accept List and Write permissions for everyone.
Block public access is off for every point.
IAM user that we using for API and Role that we are using for MediaConverter have all the permissions for S3 (AmazonS3FullAccess).
Appreciate any help, thank you.
I would like to make sure you have set the AccessControl to BUCKET_OWNER_FULL_CONTROL in Mediaconvert job settings. It sounds like this isn't being set in the job settings and since the bucket requires the objects to be set with the Bucket owner full control ACL.
Setting can be found under all the Output Group settings, under destination settings.
"DestinationSettings": {
"S3Settings": {
"AccessControl": {
"CannedAcl": "BUCKET_OWNER_FULL_CONTROL"
}
}
Regards
Michael
#uliaadamchuk Try to create a new role(ex: media-converter) and add the Role ARN to the Job Setting:
Step 1: Go to IAM Role > Create Role > look for MediaConverter and attach AmazonS3FullAccess and AmazonAPIGatewayInvokeFullAccess (optional) policies or use JSON version below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Step 2: In the Media Converter Job Settings > Settings> Add IAM Role> add the Role ARN: ex- "arn:aws:iam::741xxxxxx:role/media-converter"
Step 3: Create the job and check whether now its working or not !!
I believe that the configuration should be as follow. Please note the changes in "Action" and "Resource" where you were missing top level bucket.
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{role-for-our-API}",
"arn:aws:iam::{MediaConverter-role}"
]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::{S3-bucket}","arn:aws:s3:::{S3-bucket}/*" ]
}
I had the same problem. I was using the default MediaConvert role which I had modified and it didn't have permission for what I was trying to do.
So, I made a new role for MediaConvert.
Name it MediaConvertRole.
Policies
Note: click "Attach policies" button, these are pre-made policies provided by Amazon. You don't have to create these from scratch yourself.
AmazonS3FullAccess
Whose policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
}
]
}
AmazonAPIGatewayInvokeFullAccess
Whose policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke",
"execute-api:ManageConnections"
],
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}
When you create your MediaConvert job, make sure to select the right role:
I initially tried with all the json policies in the below link.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#customer-managed-policies-cwl
And i finally got a solution of giving "list, read, write" access to one specific loggroup for an IAM user by using below JSON policy. But it is able to see the list of other log groups as well. As per the below JSON policy i tired limiting the resource for listing as well. It didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:GetLogRecord",
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:Describe*",
"logs:FilterLogEvents",
"logs:GetLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:XXXXXXXXXXXX:log-group:/aws/lambda/XXXX:log-stream:*"
}
]
}
But then i found the tagging as a solution and tried tagging the loggroup and user with same tag and tried below JSON policy. That didn't work either.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"logs:ResourceTag/Team": "Green"
}
}
}
]
}
Please can someone kindly suggest a way where i could give access to one specific IAM user for only one group to either, list&read or list,read&write. But that user should not be able to see the other log groups.
But it is able to see the list of other log groups as well
That's not something you can do typically within AWS. Generally IAM permissions can't affect on the result of an API action. It can't filter it to only show something in particular. This is one the reasons AWS recommends to isolate workloads by using different accounts, as API calls are only scoped to one account.
In this case, you can either not give access at all or give access to list everything.
I want my SES(AWS) can receive emails, so I follow the following tutorial,
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-getting-started-receipt-rule.html
When I am at last step - creating rule, it comes with following error,
Could not write to bucket: "email-receiving"
I google and found this information on (http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html) can fix the issue.
However, when adding my policy statement, it comes with an error - This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.
My policy statement is,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GiveSESPermissionToWriteEmail",
"Effect": "Allow",
"Principal": {
"Service": [
"ses.amazonaws.com"
]
},
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybulketname/*",
"Condition": {
"StringEquals": {
"aws:Referer": "my12accountId"
}
}
}
]
}
If I take off
"Principal": {
"Service": [
"ses.amazonaws.com"
]
}
Validate policy will pass.
Thanks
Find bucket->permission->bucketPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKEN_NAME/*",
"Condition": {
"StringEquals": {
"aws:Referer": "YOUR ID"
}
}
}
]
}
Read more here https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html
To find your AWS account ID number on the AWS Management Console, choose Support on the navigation bar on the upper-right, and then choose Support Center. Your currently signed-in account ID appears in the upper-right corner below the Support menu.
Read more here https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html
I follow this advice but I was still having the issue. After much debugging, I realized that SES was failing to write because I had default server-side encryption (on the bucket) set to "AWS-KMS"
I did a 5 minute google search and couldn't find this incompatibility documented anywhere.
You can work around this by updating your default encryption setting on the target bucket to either "AES-256" or "None".
This problem has been resolved.
Create the policy on the bucket you want to grant the SES permission, not in the IAM
Note, I continued to have this error even after correctly specifying permissions. If you are using cross-region (e.g. SES is in N Virginia and S3 Bucket is in Africa) then you either need to specify the bucket name with the region or else just make the bucket in the same region.
I have the same problem, if I only delete the "Condition"
the policy passes and the "RuleSet" is Ok:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GiveSESPermissionToWriteEmail",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybulketname/*"
}
]
}
I spent the last 2 hours trying to create a policy that would give all the permissions to an user for a specific load balancer.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/core"
}
]
}
I checked '123456789012' multiple times to be the correct. I took the 'Account Id' attribute from here.
I checked 'core' multiple times and even tried to replace it with '*' but it didn't work.
I also double checked the region to make sure it's the correct one.
On the other hand, if I replace the whole ARN with '*', it works but I don't want this, I want it to be specific to a load balancer.
Thanks,
Gabriel
the name was correct, the problem was about how AWS works. You have to let the user describe the resource before giving him permissions. Here is a policy that works:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
],
"Resource": "arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/core"
}
]
}
Thanks