I have followed the docs at aws http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html
and the question at Can an aws IAM policy dynamically refer to the logged in username?
to create a policy for a user to list his own credentials under web console/users so he can generate his own keys.
user/Alpha
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action":["iam:*"],
"Resource":["arn:aws:iam::{myacctnumber}:user/${aws:username}"]
}
]
}
when I attach the the policy to user/Alpha, then open a new browser and log in as user Alpha > console > users, I get the error message
We encountered the following errors while processing your request
X User: arn:aws:iam::{myacctnumber}:user/Alpha is not authorized to perform: iam ListUsers on resource: arn:aws:iam::{myacctnumber}:user/
note the user/ is not displaying the friendly name as would be expected from ${aws:username}.
I have also tried changing the policy to
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action":["iam:*"],
"Resource":["arn:aws:iam::{myacctnumber}:user/Alpha"]
}
]
}
but the same error displays.
If I make one further change to the resource and make it a wildcard,
"Resource":["arn:aws:iam::{myacctnumber}:user/*"]
the full user list is displayed to to the user Alpha
Do I need extra permissions to allow a user to see only themselves?
thx
Art
The console, when displaying a list of users, uses the iam:ListUsers API call. This call cannot be restricted by resource.
Therefore, the console will function correctly if you provide a policies that permits the ListUsers call, eg:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers"
],
"Resource": [
"*"
]
}
]
}
The only other way for the user to update their own settings would be via the AWS Command-Line Interface (CLI) or an API call, since they can avoid the need to call ListUsers.
Related
My IAM user has the below two policies attached to it.
I created the below IAM policy that prevents lambda from being created if it does not have the Project tag.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "lambda:*",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
}
]
}
I also need to attach/create a new execution role when creating lambda so I added below
Iam policy to my IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
I logged into aws console using that IAM user's credentials and tried to create the lambda function without the tag, but it did'nt block the resource creation.I was able to create the lambda function without the required tag but with the following errors.
You are not authorized to perform: cloudformation:DescribeStackResources.
You are not authorized to perform: lambda:GetFunctionEventInvokeConfig.
User: arn:aws:iam::****:user/testuser is not authorized to perform: lambda:ListEventSourceMappings on resource: * with an explicit deny (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 199433ed*****)
How can I completely block the resource creation?
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example-require-tag-on-create
Eventually I want to try aws:RequestTag/{TageKey} for all supported aws resources.
Not all AWS services/resources support aws:RequestTag as a condition key.
For lambda it is not allowed. Currently the supported condition keys on lambda:CreateFuncion Action are:
lambda:Layer
lambda:VpcIds
lambda:SubnetIds
lambda:SecurityGroupIds
lambda:CodeSigningConfigArn
As specified on table "Actions defined by AWS Lambda" on column "Condition keys".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html#awslambda-actions-as-permissions
You can check that link and review any other service and validate if a specific Action support the Condition that you need.
For example, for EC2:RunInstances https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html supported conditions are:
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceMarketType
ec2:InstanceProfile
ec2:InstanceType
ec2:IsLaunchTemplateResource
ec2:LaunchTemplate
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:Region
ec2:RootDeviceType
ec2:Tenancy
So in that case you can restrict creation on new EC2 instances based on the presence of Tags but for Lambda it is not supported (for now).
I want to give access to IAM users from other accounts to be able to invoke my API.
I have these configurations in my API Gateway resource methods:
Authorization type: AWS_IAM (I tried with Auth type None as well..)
And Resource Policy defined as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_2>:user/ApiUser"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>/*/*/*"
}
]
}
I have also given invoke permissions to the IAM user of the other account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>:test/GET/*"
}
]
}
I have deployed the API to a stage named test.
Still, I see the below error when I invoke the API with the credentials from the other account's user:
{
"message": "User: arn:aws:iam::<ACCOUNT_2>:user/ApiUser is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-<ACCOUNT_1>:<API_ID>/test/GET/foo/bar"
}
What am I missing here?
I followed this guide:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html
This has bitten me before, and may be your issue too.
After you SAVE your resource policy, you must ALSO deploy your API.
In the menu on the left, click up one level
Then under ACTIONS, select DEPLOY API
I want to restrict access for a specific user to see just few EC2 instances. I created a new user in IAM Roles and I attached a new Policy to it. The content of that Policy is attached below. I tried to look over documentation and to do it myself like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID1",
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID2"
]
}
]
}
I placed my region,ACCOUNT_ID(the owner id, not of the new user created) and instance-id, but when I connect with that user and I go to list all Instances I got this An error occurred fetching instance data: You are not authorized to perform this operation..
After I placed the code in JSON editor, in Policy Review step I got this message:
This policy defines some actions, resources, or conditions that do not
provide permissions. To grant access, policies must have an action
that has an applicable resource or condition. For details, choose Show
remaining Learn more
The AWS documentation mention exactly the same configuration or these examples.
I assume you connect as that user in the console (but it would be the same with CLI) Here is what I think is happening:
To list all the instances, the console most probably calls the DescribeInstances API. As per the list of action/resources/tags that can be used in IAM policy, this API does not support the resource filter in IAM.
This means your user has no authorization to list instances and they will not be shown in the console. You can validate this theory by using the CLI to request the details of a specific instance id, if my hypothesis is correct, it will be authorized.
As DescribeInstances can not be restricted by resource or tags, I don't think it is possible to filter the instance list for a user.
To have the console working, you'll need to add the following statement in your IAM policy
"Statement": [
{ your existing statement },
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
Please report if I was right :-) The example you mentioned in your question shows exactly that : Resources = * on DescribeInstances and Resources specific InstanceId on other operations.
The previous answer is wrong, you can Conditionally allow access to ec2:DescribeInstances by tag names. It's an AWS best practice as well. Also explicitly deny access to the ec2:CreateTags and ec2:DeleteTags actions to prevent users from creating or deleting tags to take control of the instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/UserName": "${aws:username}"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}
DescribeInstances action does not support condition.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
Is there a way to restrict the IAM policy for an EC2 instance s.t. it can only run a short list of Documents - I tried restricting access to ssm:GetDocument like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetDocument"
],
"Resource": [
"arn:aws:ssm:ap-southeast-2:*:document/MyCommand"
]
}
]}
But I can run any command on the instance still including the AWS-RunPowershellScript document.
This link shows how users can be restricted with respect to ssm:sendCommand:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delegate-commands.html
I have not found a way to restrict SendCommand based on document. If a user does not have access, you get an error like this:
User: arn:aws:iam::123456789012:user/username is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:123456789012:instance/i-01234567890abcdef
This indicates that the Resource in SendCommand can be limited based on instance ids. It would be nice if one of the Conditions was a Document ARN, but so far I haven't found any way to do it (it's not a condition in the policy generator wizard).
Update: I posted this question on the AWS forums, hopefully I'll get a response: https://forums.aws.amazon.com/thread.jspa?threadID=249039
Update 2: I got a response and the solution is that to accomplish this you must use Resource to specify both what instances you allow commands to be run on, and what document the user is allowed to run. For example, this is what I ended up with:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:123456789012:instance/*",
"arn:aws:ssm:*:123456789012:document/RestartServices"
]
}
]
}
When I run the Kinesis sample, I get this error:
Caught Exception: User (arn:aws:iam::xxxxxxxxxxxx:user/user_name) does not have permission to perform (sdb:ListDomains) on resource (arn:aws:sdb:us-west-2:xxxxxxxxxxxx:domain/). Contact account owner.
What is the policy name that I need to attach for the user in-order to grant access to perform perform (sdb:ListDomains) ?
Only 6 AWS managed policies mention sdb explicitly:
- AmazonElasticMapReduceReadOnlyAccess
- AmazonElasticMapReduceRole
- AmazonElasticMapReduceforEC2Role
- ReadOnlyAccess
- AmazonElasticMapReduceFullAccess
- SecurityAudit
ReadOnlyAccess has sdb:List* attached so it seems like the most sensible if you are running a sample app.
Otherwise create your own policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sdb:ListDomains"
],
"Effect": "Allow",
"Resource": "*"
}
]
}