Check permissions on a set of AWS credentials - amazon-web-services

I have an app where users are required to enter in a set of AWS credentials with a specific set of permissions. I'd like to verify the credentials when they are entered in to make sure they have the required set of user policies on them.
Is there a way I can retrieve the user policies for those credentials?

Yes, if they gave you creds that are allowed to do an IAM call. You can list all their IAM users, then find the one IAM user with your key, and then read the permissions for that user. But this requires parsing the IAM permissions language, which is a little complex.
The other way to do it is make a sample call for anything you want to verify (i.e. list S3 bucket, etc.) It's probably better to validate just one or two calls than try to validate every possible call. Yes, you're likely to run into errors down the road if you're missing some permissions, but it's much more likely that they made a typo or gave you the wrong creds than they gave you partial creds.
The other thing you could consider: If they give you full creds, you could create an IAM user with just the creds you need, an use those creds. Everything in IAM has an API, so it's possible.

Related

AWS IAM Profiles - Why so hard to enforce MFA?

Hi got AWS and IAM profiles. Currently users have the option to setup their own MFA but it seems like there is no way I can see for the root user to enforce MFA on its users it gives access to. Surely given the current security issues this is something that should be promoted to enforce. Am I missing something here? Is there a way to enforce MFA on IAM users?
My understanding is that you can't really enforce it as "I want every IAM user in this AWS account to have MFA configured". This AWS blog post explains how to restrict actions of your IAM users based on the presence of MFA.
I would say that, in general, you should care about the security of your resources and make sure you don't expose anything to an entity that does not present MFA. This can be done by enforcing MFA (similar to the blog post linked above). The optics is slightly different: you don't care if some IAM user has MFA, you care that anyone accessing some resource presents MFA.
You can effectively set the following condition everywhere you need:
"Condition" : {
"BoolIfExists" : {
"aws:MultiFactorAuthPresent" : "true"
}
}
More information on the global condition aws:MultiFactorAuthPresent in the official docs.
P.S. I believe that, in the same way as you're able to force IAM users to change their console password on the first authentication, it could be a nice feature to be able to enforce the presence of MFA. You could try submitting a feature request on some AWS forum.

How to check which permissions I have as an IAM user

I'm totally new to AWS and learning about IAM. I was wondering if there is a way around for an IAM user to check what all permission he/she have? Like as a root user, I created a group of IAM users where they were only allowed to use S3 service but once I logged in as an IAM user, it was showing that I have access to other AWS services as well like running EC2 instances, etc which I reckon shouldn't be the case. Thanks!
No, it isn't possible to "show" which services you have access to use, because the policies can be quite complex (eg permission to access an S3 bucket, but only a particular sub-folder if coming from a given range of IP addresses).
You would need to look the the IAM Policies attached to the IAM User, plus the policies on any IAM Groups they are in. Then, some services like Amazon S3 have additional permissions such as Bucket Policies.
In addition, AWS Organizations can limit the permissions of all users within an AWS Account, so even if a user appears to be granted certain permissions, they might not actually be available for use.
In many situations, you'll only know if you can do something by actually trying it. For example, you might have Read Only permissions, which means you can see resources in the AWS Console, but you would receive an error when you try to change things.
All services are available in the AWS Console, but various parts of the console will only work if you have adequate permission.
Note that there's IAM Policy Simulator from AWS. You can select a service and check if a given user has access to any given action (or all actions relevant to a service)

Which IAM user am I in the console?

I am a bit confused about AWS IAM. which user am I when I'm in the console? I am currently trying to make a s3 policy for one of my buckets. and I'm getting an error saying Access denied which I believe is due to not having the correct permissions for one user. so I gave this user fullS3 access. but I'm still getting Access denied.
so which user does the console think I am? if that makes sense? or how can I give that user controlling the console the correct s3 access?
The user you are in the console is whichever user you logged in as. If you haven't created a user, and you're logging in to the console with your email address, then you're the root user, which has full permissions. There are still some reasons that you could be getting access denied though.
Is it possible you've already applied a bucket policy which denies access to all? If so, you could try deleting the current policy rather than changing it in the console, then applying the new one. Sometimes you will need to remove the policy with the CLI though.
If not, could it be this issue? Access denied when put bucket policy on aws s3 bucket with root user (= bucket owner)
If neither of these work, please confirm which user you are logged in as (it'll say in the top right hand corner), and the JSON for the policy you're trying to apply.

Forced MFA policy with programmatic access

I'm looking into the following. I have several AWS users in my account. Some users have console access and programmatic access. All users have a policy attached that enforces the use of MFA. For users that want to access AWS programmatically, this is a problem. For normal access, I know they can just add the token in the CLI. But the problem I have is when we run an automatic process from one of those accounts. You can't just add the MFA token in your code because the token changes, but the forced MFA policy prevents access to AWS which causes an error.
The only working solution I have now is using seperate users for concole access and programmatic access and only enforcing MFA on the console access user. But this is a silly solution and requires people to manage seperate user accounts.
Does anybody have a better solution? I tried to change the force MFA policy so it would only require MFA to work with console access or so it would require a connected MFA device, not an MFA login. But that didn't work.
Sorry if anything is unclear, English is obviously not my first language, please do ask if you need more details.
Thanks in advance!

AWS S3 bucket access token

I have an aws s3 bucket and want to share and sync data with my team and some other individuals (and later access this data in the cloud). This is easy with the aws cli (aws s3 sync ...), but since we are now in the situation where multiple other individuals from outside are involved, they don't have an aws-account.
What is the preferred strategy here? Is there a way to get something like a read/write access-token, which then could get passed to the aws-cli?
You probably want to setup IAM users and give the access either though a bucket policy or on the user level.
With bucket policies you can easily define what paths users are able to edit and access.
When you create an IAM user you also have the option of creating one for Programmatic(CLI) access only which will give you a set of credentials for that user only. Just use aws configure and set the access and token key.
You also probably want to make sure you are using an IAM user yourself as it's generally recommended for security.