How do I add a new superuser to my AWS account? I need this new user to have all the same privileges to manage AWS as the owner (me)?
As far as I know you can only maintain one set of root account credentials with one owner per account. Even if this is an account you maintain yourself, Amazon recommends creating an IAM user for yourself with administrative privileges to keep the root account credentials secure.
In order to add a user with the same privileges, from your root account you can create that user in the IAM console and grant the user Administrator access with the full-admins policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
To allow the user to access the Account Activity and Billing section, you need to activate the pages in the "IAM user access to the AWS" section on the Manage Your Account Page from your root account.
That should give the user the same level of access as the account owner without passing out the root credentials.
Related
Scenario:
I have 3 AWS root accounts in the same organization.
admin#mydomain.com
user1#mydomain.com
user2#mydomain.com
user1 created an S3 bucket B1. I want user2 and admin to be able to see and browse B1 on their own S3 dashboard. Is this possible? What policy(policies) that I need to create? Where do I create these policies and how to create them?
**The original question has been edited. Some answers below might not be relevant any more
I believe all you need to do is add Principal: "*" to the policy. This opens access to anyone, but the condition will limit it to the org.
As far as I know, I cannot do the S3 bucket console sharing between root users. I've finally managed to share the bucket created by user1 with an IAM user.
Steps for Root User
Login into AWS console and go to IAM
Create group
Create IAM policy i.e. allowing S3 full access (see below)
Attach policy to group
Create IAM user
For Access type choose AWS Management Console access
Add user to the group you created in step 1
Follow through until you click on create user button
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxvvvwww8"
}
}
}
]
}
EDIT:
After rigorous trial & error testing, it seems that we don't even need bucket policy for this to work. I've removed the bucket policy and it all still works!
Steps for IAM User
Log into AWS console as IAM user
Go to S3 console. You should be able to see and browse all buckets and objects created by all organization members
Note
Your IAM user would not be able to see the bucket listed on its S3 console dashboard. That shared bucket can only be accessed through direct link. So your root user must provide the URL i.e. https://s3.console.aws.amazon.com/s3/buckets/bucket1/ to your IAM user
I have just started with a new company and I need to modify contact info on AWS. Any attempt gives me the error
Access Denied, you need ModifyAccount to modify this page.
I have given my user that the following policy with no luck.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "aws-portal:*",
"Resource": "*"
}
]
}
I have also attempted a policy with just
aws-portal:modfiyAccount
and a policy allowing all actions on all resources. What is stopping me from modifying contact info on AWS account?
Tasks that require root user credentials
Tasks
Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and Regions, do not require root user credentials.
Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.
Activate IAM access to the Billing and Cost Management console.
View certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and download VAT invoices from AWS Europe, but not AWS Inc or Amazon Internet Services Pvt. Ltd (AISPL).
and so on .
Want to view, list, modify the S3 bucket (s) and objects (s) in the linked account for manipulation purpose, but not able to.
Description:
I have a master account and three member account. I have logged in with the user 'Jagdish' to my master account and assumed a Admin role to different linked accounts in AWS. Now the situation is i want to access the bucket and its resources present in master account from one of my member account '1'. which i am not able to view or list at this point of time
Things didnt work:
I have logged in to the AWS master account, and modified its ACL policies to allow the member account ID full access
I have used the bucket policy in the master account bucket to allow access for member account (please refer code in below section)
I have tried to create a cross account role in master account, and then sts policy accessing the role from master account, but here in this case the problem is I have to assign this role particular user in the member account rather than root user. I want the permissions to be for the member root user
Used Service Control Policies (SCP) in master account to give full S3 access policy and assigned it to member account. but it didnt work
{
"Version": "2012-10-17",
"Id": "Policy15556916455366",
"Statement": [
{
"Sid": "Stmt155562234628751",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<member account number>:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::cdbucket-jagdish"
}
]
}
I want my member account (when i switch from master to member account) in AWS Organization to be able to view or list the bucket (s) from the master account. So that the bucket can be used for operations like reading or writing the files to that bucket.
Let's say, I have an user, say User-A, that is assigned the following policy (who is essentially an admin user):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Can I create another policy and associate it to User-A, so that User-A can't launch EC2 instance? (I don't want to disassociate the above policy from User-A; because of some legacy reason, I only want to add rules/policies to a user)
Moreover, can I limit launching EC2 instance operation from an AWS account root user? (See the following statement on AWS IAM page)
When you sign in as the root user, you have complete, unrestricted
access to all resources in your AWS account, including access to your
billing information and the ability to change your password.
If you can edit the existing policy, then you can change the permissions that are being granted (eg by using NotAction, as #bishop suggested).
If you cannot edit the existing policy, you can add another policy with "Effect": "Deny" and then list the actions that are not permitted.
As to the Root account... It can basically do anything. That is why the recommendation is to attach Multi-Factor Authentication to the account, then lock away the MFA device for emergency use only.
I am trying to give access permission for S3 bucket in account to another account.
For the created bucket in permission tab there is an option of Access for other AWS accounts. Under that I am seeing an Add Account button. I clicked it and gave my other account from which I want to access this bucket.
However, I am getting an Invalid ID error.
If you wish to grant access to specific User in a different account, it's quite simple. (I don't think this method will work for giving access to a different Account.)
Let's say you have:
Account A with Bucket A that you own
Account B with User B to which you wish to grant access
Ask User B for the ARN associated with their IAM User. This can be seen in the IAM Management Console and it will look like:
arn:aws:iam::123456789012:user/fred
Then, add a Bucket Policy to Bucket A:
{
"Version": "2012-10-17",
"Id": "S3AccessPolicy",
"Statement": [
{
"Sid": "GiveFredAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/fred"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-a",
"arn:aws:s3:::bucket-a/*"
]
}
]
}
This will allow Fred to access the S3 bucket. This works for users in the same account AND for users in a different account.
For getting the canonical ID, one of the simplest ways is to use CLI and run
aws s3api list-buckets command.
You will get the ID in the output.
There are other ways also for getting the canonical ID and are clearly described in the aws docs: https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
list-buckets aws docs: https://docs.aws.amazon.com/cli/latest/reference/s3api/list-buckets.html
You need the "canonical user id". You can find out about this here.
To view your canonical user ID as a root user (console)
Sign in as the root user using your AWS account email address and password.
... snip ...
In the top right of the console, choose your account name or number. Then choose My Security Credentials.
If necessary, in the dialog box, choose Continue to Security Credentials. You can choose the box next to Don’t show me this message again to stop the dialog box from appearing in the future.
Expand the Account Identifiers section to view your canonical user ID.
Note
If you do not see the Account Identifiers section, then you are not signed in as the root user. Return to Step 1 above. If you do not have access to the root user credentials, contact your AWS account administrator and ask them to retrieve the canonical user ID.