Stack Overflow
Stack Overflow

Questions tagged [aws-policies]

223 questions
3
votes
2 answers

not_actions vs explicit deny & allow statements in an IAM policy

Policy 1: data "aws_iam_policy_document" "kms_policy" { statement { sid = "AllowEKSKMSAccess" actions = [ "kms:*" ] not_actions = [ "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:Revoke*", …
DmitrySemenov
  • 9,204
  • 15
  • 76
  • 121
3
votes
1 answer

AWS policy generation facing syntax error?

If I add this policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::xxxxxxxxxxxx:user/stikbook-dev" }, "Action": "sts:AssumeRole" } …
Cyril I
  • 273
  • 3
  • 16
3
votes
3 answers

Unable to Create Policy for AWS ECR

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:::user/root" }, …
dotnetavalanche
  • 804
  • 2
  • 12
  • 25
3
votes
1 answer

Does creating a new policy to enforce tagging in AWS resources affect resources that already been created

I am planning to create a policy that enforce tagging when creating an AWS resources. so when creating a new policy to enforce tagging in AWS resources affect resources that already been created ?
Pamoda
  • 146
  • 1
  • 7
3
votes
1 answer

AWS: How to attach a policy to an IAM user that grants him the privilege to create a verified identity and not access root identities?

In the root account, I have a verified domain identity that I used to create an email identity for transactional emails. Now, I created a new IAM account. I would like to attach a policy to this IAM account that allows it to create a verified email…
AG_HIHI
  • 1,705
  • 5
  • 27
  • 69
3
votes
2 answers

AWS IAM and KMS policy 'muddlement'

I'm hoping some AWS policy expert may be able to help me decode what's going on here. I've been playing with IAM and resource policies in AWS. According to AWS's own documentation, unless there are any explicit denies in all of the policies, the…
pete
  • 33
  • 4
3
votes
1 answer

AWS Permissions to allow a specific user to Modify a specific Security Group

I've be trying to implement a new policy on AWS to allow a specific user to manage a specific Security Group. I used to have this working but it stopped working a couple weeks ago and now no matter what I try I cannot get it to work again. Does…
vmasanas
  • 503
  • 1
  • 7
  • 18
3
votes
1 answer

AWS S3 Permissios - Create Folder while only being able to upload certain extensions

I'm trying to write an IAM policy to do the following: Allow user to access a specific bucket Only be able to upload a selected few types of files.. based on extensions Allow to create a folder in that bucket I've managed to do the first two, but…
Nigel Fds
  • 803
  • 2
  • 12
  • 29
3
votes
2 answers

List S3 buckets by bucket policies

I have 400+ buckets in my AWS account some of which can be accessed by users using user group dev-user-group & prod-user-group. Few S3 buckets's policies are something like this "aws:arn": [ …
Arvin
  • 315
  • 1
  • 3
  • 15
3
votes
1 answer

AWS IAM, restricting an account to see and access only resources created by itself?

I'd like to have an IAM user which would be able to create whatever resources they like, BUUTTTT able to see and manage only those resources created by itself, like a "subcloud" which has no idea about others, or like having completely separate root…
so1999
  • 117
  • 9
3
votes
1 answer

AWS IAM PowerUser Scoped to Specific Region

I'm trying to create an AWS IAM Policy that gives access to everything that a Power User has (arn:aws:iam::aws:policy/PowerUserAccess) but only in a specific region. I started with the existing Power User policy and found this article:…
Ryan Ferretti
  • 2,891
  • 2
  • 27
  • 37
2
votes
0 answers

Create Service role for AWS AppRunner

I am currently running a Next.js application on AWS AppRunner. Initially, when creating the service, I unintentionally left the Instance role in the Security section empty, resulting in AWS automatically creating a role for me. However, I now…
Susitha Ravinda Senarath
  • 1,648
  • 2
  • 27
  • 49
2
votes
0 answers

Does AWSSecretsManagerRotationPolicy policy apply to all secrets?

I'm trying to use an AWS lambda function (deployed with SAM) to rotate a secret. Reading AWSSecretsManagerRotationPolicy description says: Gives permission to rotate a secret in AWS Secrets Manager. Source Based on that, this is applied to a…
andres
  • 73
  • 6
2
votes
1 answer

AWS policy actions for querying a CloudWatch log group and extracting information from the results

I am trying to query the AWS CloudWatch logs that are created by a Lambda Function. I have written a script to do this, which does the following: aws logs start-query Submit a query, with the appropriate time window and query string. aws logs…
Xophmeister
  • 8,884
  • 4
  • 44
  • 87
2
votes
0 answers

AWS DeviceFarm ScheduleRun always returns AccessDeniedException in cli

When I try to start a DeviceFarm run via CLI or API with an IAM user, I'm always getting the following error: An error occurred (AccessDeniedException) when calling the ScheduleRun operation: User: is not authorized to perform:…
Andrey Bobkov
  • 29
  • 2
1
2
3
14 15