Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [amazon-iam]

IAM is Amazon Web Services' Identity and Access Management service

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources. Using IAM, you can create and manage AWS users, groups and roles and use permissions to allow and deny their access to AWS resources.

262 questions
2
votes
2 answers

Permissions for choosing tags in Cloudwatch

When trying to create a Cloudwatch dashboard I get "You don't have permission to access tags and properties. Retry". What permissions does my IAM account have to have in order to be able to search and choose from tags and properties from…
jshbrntt
  • 121
  • 2
2
votes
1 answer

AWS: How do I restrict deployment to ECS clusters using IAM

I have multiple Fargate clusters in a single AWS account. I wish to ensure that a given service account (used by the build pipeline) can only update Services within a given Fargate clusters. The IAM policy editor prompt for the ecs:UpdateService…
Alastair Irvine
  • 1,182
  • 11
  • 24
2
votes
2 answers

Create a role to read from AWS Secrets Manager

I use AWS Secrets Manager to store passwords which I need to read from services launched in my EC2 instances. In order to do that one solution that I thought about where creating a role which can access to Secrets Manager and attach it to instances…
Rourich
  • 23
  • 3
2
votes
2 answers

s3 bucket/IAM user policy "Deny takes priority above all other access"?

Two policies, got one "Deny", I should not be able to do any operations to bucket, but I can still list and view bucket objects. Why? Thanks S3 bucket policy { "Sid": "S3DenyAccess", "Effect": "Deny", "Principal": "*", "Action":…
Shawn
  • 21
  • 2
2
votes
1 answer

AWS Cloud Provider Integration with Kubernetes - Nodes stuck with "uninitialized: true" taint after bootstrapping

Summary I am attempting to bootstrap a Kubernetes cluster on AWS using Kubeadm. Please before you suggest them, I am not interested in using EKS or another bootstrapping solution like Kops, Kubespray, etc. It appears that there is a lot of…
TJ Zimmerman
  • 251
  • 6
  • 18
2
votes
2 answers

How can switch to an EC2 instance role locally as a user?

I apply ec2 instance roles to my servers but I want to switch to those roles myself locally first to test permissions Id tried switching to one but I get an error: aws sts assume-role --role-arn arn:aws:iam::1234567890:role/myrole --role-session…
red888
  • 4,183
  • 18
  • 64
  • 111
2
votes
1 answer

Non-null password_last_used for (supposedly passwordless) AWS root_account?

As I was auditing an org's AWS IAM, I did: aws iam generate-credential-report # a bit later, download the CSV aws iam get-credential-report During viewing the report, one thing struck me as highly unusual: the column password_last_used for…
ulidtko
  • 438
  • 4
  • 13
1
vote
1 answer

AWS - deny services deployment in public subnet

We are building some security boundaries for our internal teams and would like to limit their ability to deploy services in Public Subnets. I can build a boundary policy for EC2 not to be deployed in public subnets but this only covers EC2 service.…
Sergei
  • 1,226
  • 16
  • 25
1
vote
0 answers

AWS organization accounts, full AWS access, and S3 permissions

I have an Organization that has three accounts in it, and I have attached a FullAWSAccess control policy to one of those accounts A. This policy grants * action to * resources. A logged in to the AWS web console, got their canonical User Id from the…
sameers
  • 141
  • 4
1
vote
1 answer

What permissions do I need to access a SQS queue?

I am trying to open a SQS queue but I got this error: 2019-07-09 07:20:31,855 pid 3604 tid 800 ERROR connection
Anthony Kong
  • 3,288
  • 11
  • 57
  • 96
1
vote
1 answer

Switch Role on Windows10 Fails with AWS Source IP

When a user on Windows 10 tries to switch roles in AWS it fails with Failed authentication We have a Condition in our sts:AssumeRole policy to only allow the role to switch if the user is coming from a white-listed IP address. Those addresses…
kenlukas
  • 3,101
  • 2
  • 16
  • 26
1
vote
2 answers

Enforcing EBS Encryption within AWS Organization using SCP (Service Control Policy)

Is it possible to enforce that all accounts within an AWS organization can only create encrypted EBS volumes? I know you can enforce it using IAM roles, but I want to know if it can be done with SCP. Here's what I've come up with so far, but it…
Tim
  • 31,888
  • 7
  • 52
  • 78
1
vote
0 answers

Which KMS permissions does ACM require?

I would like to have ACM manage a TLS certificate that I upload in the console. However, the AWS role I am assuming can access KMS actions, but only from a certain set of IPv4 addresses. I will probably need to add an exception for a set of KMS…
Toon Spin
  • 13
  • 3
1
vote
2 answers

AWS describe-configuration-settings returns InsufficientPrivilegesException

I've created a "Programmatic access" user with full read and list permissions on Elastic Beanstalk, provided by a Policy I've created specifically. This means that when I go to the Policy Summary page I see: - Service: Elastic Beanstalk - Access…
RA.
  • 11
  • 2
1
vote
0 answers

How to give AWS users access to more than 10+ accounts in an organization?

We have 10+ accounts clustered under a single root account, all in one organization. Our ops personnel gets a user in the root account and can access any "sub" account in the organization if said user has the required permissions (assumeRole). I…
arnuschky
  • 418
  • 4
  • 12
1 2 3
17 18