Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [amazon-iam]

IAM is Amazon Web Services' Identity and Access Management service

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources. Using IAM, you can create and manage AWS users, groups and roles and use permissions to allow and deny their access to AWS resources.

262 questions
3
votes
2 answers

Managing multiple AWS VPCs - becomes a fruit salad of subnets / ec2 instances

We are just starting our AWS presence. We require multiple VPCs, each hosting our own servers or customers' servers. Each VPC has 4 subnets - 2 public, 2 private, each in a different AZ. Each VPC has 7 or more EC2 instances. We manage this…
psiphi75
  • 151
  • 7
3
votes
1 answer

Is it possible to grant a "read everything" role in AWS?

Is there a default policy that can provide read-only access to all services with AWS? Is there are naming convention for permissions that could be followed such as "Allow" : "Get*" in an IAM policy to achieve this type of result? I know that AWS…
Andrew Theken
  • 217
  • 1
  • 3
  • 12
3
votes
0 answers

EKS - Use IAM roles for service accounts on multiple clusters

I am trying to use IAM roles for service accounts in EKS. https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html When it comes to create the IAM role to be assigned to a service account, I have to create it with a trust…
signaleleven
  • 31
  • 1
3
votes
1 answer

AWS IAM Roles: What is a trusted entity exactly?

I have a role attached to a LaunchConfiguration for an EC2 instance, that gives the EC2 instance privs to do certain things like do Cloudwatch logs (the context isn't important to the question). In Cloudformation the Role looks like: Type:…
spinkus
  • 188
  • 2
  • 16
2
votes
0 answers

AWS EC2 : IAM policy to allow inbound SecurityGroup with PORT Range

I want to allow the access to specific ec2 security group to one of the developer. For that I know that we can use something like this : { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1413232782000", …
RKT
  • 21
  • 1
2
votes
1 answer

AWS system manager : Verify that the IAM instance profile attached to the instance includes the required permissions

I am trying to access an ec2 instance using AWS systems manager for that I've created a role attached to the following policies. AmazonEC2RoleforSSM AmazonSSMAutomationApproverAccess AmazonSSMFullAccess AmazonSSMAutomationRole And the role is…
shamon shamsudeen
  • 115
  • 1
  • 2
  • 9
2
votes
2 answers

How can I 'aws s3 sync' two buckets, which are located in different accounts

I'm trying to use 'aws s3 sync' on the awscli between two accounts. Account A, I own. Account B, Owned by a third party. Account B has given a user:jon on account A permission to a bucket through a role:assumeDevOps assumption. Jon assumes…
phisshion
  • 21
  • 1
  • 1
  • 2
2
votes
1 answer

AWS IAM policy JSON with time limit and time zone

I want to add IAM policy with time limit. But in the time limit it didn't have way to specify the time zone. How can define the time zone or what is the time zone considered here? { "Effect":"Allow", "Action":[ …
sugunan
  • 141
  • 1
  • 5
2
votes
3 answers

AWS - Bastion checking IAM permissions?

Is it possible to set up a bastion host in AWS that would be checking IAM to check if given user can connect to specific EC2 instance? It might be a bit blurry but the idea is following. Let's assume that a company has 2 customers and each of them…
Tomasz Kapłoński
  • 153
  • 4
2
votes
1 answer

EC2 IAM - restrict CreateTags permission to instances which were started from an AMI with a particular tag

Does anyone know of a way to create the following permission on AWS IAM: Allows tagging of any EC2 instance, on the condition that: The AMI from which the instance was created has the tag "foo" with the value "bar". I can see how to create a…
samfrances
  • 131
  • 2
2
votes
1 answer

Can you use IAM roles to connect from a non-AWS application to AWS services?

We have some hybrid environment where some applications are running in our own datacenter and other services are running on AWS cloud. Now we have some application which needs to write files to S3. In our current solution we have created a IAM user…
DenCowboy
  • 313
  • 3
  • 6
  • 15
2
votes
1 answer

SSM Managed instance using AWS CLI and assume-role

I have a requirement for a non AWS host to perform a scheduled scripted task with an S3 bucket. I have this working as expected with access/secret access keys related to the S3 role. This non AWS host is running centos7 and I have it registered with…
Relish
  • 33
  • 3
2
votes
1 answer

Allow other AWS services to invoke Lambda using IAM

Is it possible to grant AWS services (e.g. API gateway, Secrets Manager) permission to invoke a Lambda function using only IAM roles? Normally this is done in the function's policy (resource-based policy), but I wonder if this is the only way. The…
mxxk
  • 163
  • 2
  • 7
2
votes
1 answer

AWS IAM Policy for elasticloadbalancing:DescribeTargetHealth

I am trying to run this cli on a target group: aws elbv2 describe-target-health This IAM policy doesn't work: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1497933736509", "Action": [ …
starchx
  • 533
  • 10
  • 24
2
votes
0 answers

Template validation error: Role arn:aws:iam is invalid or cannot be assumed

I am using this cloudformation template on the docker website to create a docker-for-aws stack. I am getting this error, however: Template validation error: Role arn:aws:iam::1234567890: role/docker-for-aws-role is invalid or cannot be assumed I…
Anthony Kong
  • 3,288
  • 11
  • 57
  • 96
1 2 3
17 18