Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [amazon-iam]

IAM is Amazon Web Services' Identity and Access Management service

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources. Using IAM, you can create and manage AWS users, groups and roles and use permissions to allow and deny their access to AWS resources.

262 questions
1
vote
0 answers

Converting specific folder of S3 into browsable directory list without making it public

I have a bucket that I'd like to access using a browser similar to http://data.openspending.org/ and I'd like only a subfolder to be visible. So if Bucket1 has multiple folders, I only wanna show and let users download contents of zipFiles…
Kohini
  • 113
  • 3
1
vote
1 answer

AWS S3 Policy: One non-public bucket, separate sub-folders for each user, restricted access

at the moment I'm struggling how to create a secure policy for my Amazon S3 bucket. My plan is to have one bucket with several sub-folders for separate (IAM) users. Access should only be programmatically with access-ID and secret key, not via…
keitaro.urashima
  • 11
  • 2
1
vote
0 answers

Autoscaling - lifecylehook implementation

I'm trying to implement my first ASG with a lifecycle hook and I am having this issue: LifecycleHandlerFunction: Encountered unsupported property Role The following resource(s) failed to create: [LifecycleHandlerFunction]. Rollback requested by…
serialp
  • 13
  • 3
1
vote
1 answer

How do I enforce a policy to block access to specific regions without updating all of my policies?

I want to block all user access to almost all aws regions. You cant "disable" a region that is enabled by default. Also I am aware of permissions that are account level and cant be restricted regionally. I dont want to have to add a policy like this…
red888
  • 4,183
  • 18
  • 64
  • 111
1
vote
1 answer

ec2 permissions to manage only firewall access

I'd like to allow some developers to manage firewall rules, specifically rules in ec2 security groups, (or some of them ideally) so that they can, eg, update their changing IP addresses to access development machines. I've found there isn't a way…
csdev
  • 111
  • 4
1
vote
1 answer

How to restrict AWS SSM access by EC2 tag

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html#awssystemsmanager-policy-keys I cant find an answer that clears this up for me Im looking at this example:…
red888
  • 4,183
  • 18
  • 64
  • 111
1
vote
1 answer

Can only log into AWS console with IAM user if password was auto-generated

Scenario: I create a new IAM user and choose "AWS Management Console access" for "Access type". For "Console password", I choose "Custom password" and set a password. I attach a policy to the user allowing full access to all AWS resources. I log…
user2121620
  • 111
  • 3
1
vote
1 answer

Billing access denied, tho Ive granted all access to an IAM user

I currently cant watch or edit Billing (through IAM User Access to Billing Information) because the AWS console says that I dont have permissions. I am the only user in the account, with a full IAM access in the group and directly on the user as…
dash
  • 121
  • 3
1
vote
2 answers

Restrict access of IAM user to delete Route53 hostedzone NS and SOA record sets

I have written IAM Policy to restrict IAM users to just use a single hosted zone for testing but how can I restrict IAM users to delete this hosted zone's NS record and SOA record sets. PFB my IAM policy: { "Version": "2012-10-17", …
Usman
  • 13
  • 2
1
vote
0 answers

Can an instance profile's condition reference EC2 instance's tags?

I'm trying to setup an instance profile for an EC2 instance that limits its access to a particular path within an S3 bucket, based on the Name tag of that EC2 instance. I've gotten a policy that's close, but still doesn't work. { "Version":…
leedm777
  • 305
  • 5
  • 9
1
vote
1 answer

AWS- adding organisation members in a specific OU

We have multiple OU's in our AWS organisation. We use AWS cli to create new AWS organisation members. For eg. aws organizations create-account --email test@example.com --account-name "testaccount" Everytime a new member account is created, it is…
Axel
  • 421
  • 2
  • 8
  • 18
1
vote
1 answer

AWS- Limiting resource access for member of organisational accounts

We have certain AWS labs which we offer to our customers. Every time a user opens the lab, a new member account is created and added to the organisational account. This only happens the first time when a user logs into the lab. This member account…
Axel
  • 421
  • 2
  • 8
  • 18
0
votes
1 answer

Access Denied using S3 upload function

I have a lambda function with the following policy { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-bucket" …
Ajouve
  • 121
  • 1
  • 7
0
votes
1 answer

AWS Cross Account Role Allowing Assumed Role

I have other accounts running services (on EC2 etc). I have one account running a metrics UI site as part of an ECS cluster that assumes a role while operating (arn:aws:sts::1111111111:assumed-role/initialassumedrole) The other accounts have a role…
Jordan Mackie
  • 101
  • 3
0
votes
1 answer

Grant access to role in another AWS account to all objects in my bucket

So I want to grant a role that exists in account A the get-object permission on items in a bucket owned by account B. I read The AWS docs' example policies and created a bucket policy like this: { "Version": "2012-10-17", "Id": "foo2", …
James Hardy
  • 101
  • 2
1 2 3
17 18