I'm attempting to update an IAM policy to restrict it to a single region but I have a syntax error that I can't seem to work out.
Here's the JSON for the policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Action":[
"ec2:*"
],
"Resource":[
"*"
],
"Effect":"Allow",
"Condition":{
"condition":{
"StringEquals":{
"ec2:Region":"us-east-1"
}
}
}
}
]
}
It's the condition that's causing the issue but I can't quite seem to figure out where I've gone wrong. I've tried using the AWS IAM policy builder to generate it but it still gives me a syntax error when I try creating it via that so I'm guessing it's a syntax issue.
All I'm trying to do is restrict the policy to EC2 operations in us-east-1 only.
I'm using this command to upload it
aws iam put-group-policy --group-name eastern-contractors --policy-document file://ec2.json --policy-name ec2
And I get the following response
A client error (MalformedPolicyDocument) occurred when calling the
PutGroupPolicy operation: There are invalid conditions in this policy.
I've tried using similar answer on this site such as AWS IAM Permissions for EC2 – Controlling Access on Specific Instances with particular region but it doesn't seem to work.
Here is the working policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1410456206000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-1"
}
},
"Resource": [
"*"
]
}
]
}
The nested "condition" was the issue.
Related
I have a user group Administrators with the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
My currently logged-in CLI user is part of this group; I've verified by running aws iam get-user and comparing the ARN with what I have in the web console.
Somehow there's a lot of CLI commands for which I get denied, e.g.
$ aws iam list-groups
An error occurred (AccessDenied) when calling the ListGroups operation: User: arn:aws:iam::675072143536:user/carl is not authorized to perform: iam:ListGroups on resource: arn:aws:iam::675072143536:group/ with an explicit deny
How can I perform this command?
You either have an attached policy, SCP or Permission Boundary in place that explicitly denies that operation. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html .
You may be able to inspect the policy, boundary or SCP in the IAM console or need to ask someone with more permissions / control over your account for more details as to why they are there and how to possibly get permission to go around them. Right now you are not allowed to perform that command.
I was being denied by our MFA policy:
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
I have a user group Administrators with the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
My currently logged-in CLI user is part of this group; I've verified by running aws iam get-user and comparing the ARN with what I have in the web console.
Somehow there's a lot of CLI commands for which I get denied, e.g.
$ aws iam list-groups
An error occurred (AccessDenied) when calling the ListGroups operation: User: arn:aws:iam::675072143536:user/carl is not authorized to perform: iam:ListGroups on resource: arn:aws:iam::675072143536:group/ with an explicit deny
How can I perform this command?
You either have an attached policy, SCP or Permission Boundary in place that explicitly denies that operation. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html .
You may be able to inspect the policy, boundary or SCP in the IAM console or need to ask someone with more permissions / control over your account for more details as to why they are there and how to possibly get permission to go around them. Right now you are not allowed to perform that command.
I was being denied by our MFA policy:
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
I am trying to import a disk image into AWS, for EC2 instance launching. I follow the guide as stated and fulfill all the prerequisites as stated. However I am faced with an error that I've been trying (unsuccessfully) to debug. The error is as follows. An error occurred (InvalidParameter) when calling the ImportImage operation: The service role vmimport provided does not exist or does not have sufficient permissions However when I check the permissions of the vmimport role it has all necessary permissions for EC2 and S3! My aws cli user also has full privileges to EC2 and S3. I've tried many different solutions to this problem, including, 1. Making the S3 bucket public, 2. Adding an access policy so that my AWS cli user had permissions to access the bucket. Everything I have tried still returns this exact same error message... I'm thinking there might be a region problem? I'm using us-east-2 in my AWS cli user configuration, and in the S3 buckets region. Is there something else I have not considered?P.S. I'm trying to import an OVA 1 format vm image.
Here is my trust policy
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externaloid": "vmimport"
}
}
}
]
}
and my roles policy
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::MY-IMPORT-BUCKET",
"arn:aws:s3:::MY-IMPORT-BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::MY-EXPORT-BUCKET",
"arn:aws:s3:::MY-EXPORT-BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}
]
}
And finally the containers.json
[
{
"Description": "My Special OVA",
"Format": "ova",
"Url": "s3://MY-IMPORT-BUCKET/VM.ova"
}
]
UPDATE: After investigating the problem further, I found that the role vmimport last access was "Not accessed", i.e. never, meaning that the role is not even being attempted to be used! So this error is clearly saying that it does not exist (it can't find the service role). In the final command there is nothing in the command that suggests that vmimport is going to be used, neither in the containers.json . I thought this was the purpose of allowing vmie.amazonaws.com to take control. Clearly it isn't assuming the role, so I need to investigate into this and sts.
The problem is in your(my) Trust Policy.json file. If you notice the conditions for it to assume the role, is that the Externaloid must be equal to vmimport. There is an added o in the attribute that it is checking, this will always be false and so vmie can never assume the role. Remove the o from the trust policy and try again and your policy works.
I had exactly the same scenario, you need to create vmimport role as described here (AWS docs):
https://docs.aws.amazon.com/vm-import/latest/userguide/required-permissions.html
I'm having issues deploying CF-stack when used in combination with a S3 bucket.
The S3 bucket contains a swagger definition that API Gateway needs to access.
My S3 bucket has a bucket policy that contains an IP-filter, along these lines:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "IpFilter",
"Effect": "Deny",
"NotPrincipal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com"
]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-code-dev/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/32",
"5.6.7.8/32"
]
}
}
}
]
}
The intent is to deny access to this S3-bucket for anyone not coming from the specified IP addresses or for the specified services.
When deploying my stack I'm hitting an error when deploying the AWS::ApiGateway::RestApi resource with Status Reason "API: s3:GetObject Access Denied".
This is obviously tied to the bucket policy, because if I remove the policy the issue disappears. Any ideas as to what is missing in the policy?
I would like to be able to change the policies on s3 buckets using cloudformation. However when I attempt to do this I encounter the error:
2017-12-21 18:49:10 UTC TestBucketpolicyAwsS3Bucketpolicy CREATE_FAILED API: s3:PutBucketPolicy Access Denied
Here is an example of a cloudformation template that fails due to this issue:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"TestBucketpolicyAwsS3Bucketpolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "alex-test-bucket-123",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": "arn:aws:s3:::alex-test-bucket-123/*",
"Action": [
"s3:GetObject*",
"s3:DeleteObject*",
"s3:PutObject*"
]
}
]
}
}
}
}
}
I have tried changing policies on both my IAM user and the actual bucket I want to manage with cloudformation, but neither solution has resolved the issue. How can I get remove this "s3:PutBucketPolicy" restriction?
Edit: I think the issue may be that only IAM roles can access the "s3:PutBucketPolicy" operation. I may need to create a role with s3 access then establish a trust relationship with the user that runs this cloudformation template.
https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
IAM users cannot directly run s3:PutBucketPolicy operations. You need to create a separate IAM role and attach it to your user with a trust relationship to assume that IAM role.
Your role will need s3 and cloudformation access. The policy document below will work.
{
"Version": "2012-10-17",
"Statement": {
"Action": [
"s3:*",
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
}
}
The arn of your IAM role will then need to be set in your config or the AWS_STS_ROLE_ARN environmental variable along with your aws access keys.
Once you assume the role you will then be able to change s3 bucket policies.
Note that this will override any permissions your user has when you set your AWS_STS_ROLE_ARN in your config or environmental variables.