amazon-iam

问题 I recently ran into a problem with IAM policies while using Code-Build. And I am trying to understand the difference between the following 2 policies and check if there are any security implications of using version 2 over version 1. Version 1 doesn't work, so I decided to go with version 2. But why does version 2 work and why doesn't version 1 doesn't work? Version 1 only gives access to the CodePipeline resource and allows to read and write to S3 bucket object. However Version 2 gives

问题 I want my backend to be able to directly send messages to authenticated users. Which means I need to limit the users to only subscribe on topics under their own identifiers. Ideally, to my currently limited understanding, I would have a policy that has the user sub as a variable: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:DeleteThingShadow" ], "Resource": "*" }, {

问题 I can individually access two different Athena tables using two different IAM roles because each lie in different accounts. Is there a way to run a single query that pulls from both (ie. INNER JOIN)? 来源： https://stackoverflow.com/questions/48876047/athena-queries-between-tables-in-different-accounts

问题 I'm reviewing IAM policies and roles that haven't been used in the last N number of days. In the console I can easily view recent usage under Access Advisor. I'd like to get the same in an automated way, but I can't find any documentation on getting this using CLI or SDK. Is this possible? 回答1: It is now available, check the link below https://aws.amazon.com/about-aws/whats-new/2018/12/iam_access_advisor_apis/ 回答2: Netflix has a tool called Aardvark to scrape the Access Advisor data from the

问题 I'm reviewing IAM policies and roles that haven't been used in the last N number of days. In the console I can easily view recent usage under Access Advisor. I'd like to get the same in an automated way, but I can't find any documentation on getting this using CLI or SDK. Is this possible? 回答1: It is now available, check the link below https://aws.amazon.com/about-aws/whats-new/2018/12/iam_access_advisor_apis/ 回答2: Netflix has a tool called Aardvark to scrape the Access Advisor data from the

问题 I have a cloudformation stack template that includes regional resources (lambdas, api, topics, etc.) and global resources (user, policies, route53, cloudfront, dynamodb global tables, etc.) and want to deploy it to multiple region in the same AWS account. I can't directly deploy this stack template in multiple region because global resources will already exist after the first creation. I know I could split everything in two separate stack templates but I would prefer to avoid this and keep

问题 So I've been trying to define a policy to restrict a group of IAM users to a particular folder in an S3 bucket with no success. I've riffed off the policy outlined in this blog post. http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke Specifically I'm using the following: { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": ["s3:ListAllMyBuckets", "s3

问题 i just referred to this question AmazonServiceException: User is not authorized to perform: dynamodb:DescribeTable Status Code: 400; Error Code: AccessDeniedException which has similar error. but it doesn't help me. I'm getting this error when i try to raise a support ticket: Invalid Input User: arn:aws:iam::44324457964845364:user/testetest is not authorized to perform: support: (Service: AWSSupport; Status Code: 400; Error Code: AccessDeniedException; Request ID: 65dq34fedq234rde9

问题 Is there a way to define a S3 bucket policy to enforce standard storage class? I want to prevent users from creating objects with reduced redundancy storage class. 回答1: You can now use a condition in an S3 bucket policy to constrain the creation of S3 objects (using PutObject ) to specific storage classes. The current version of the AWS documentation has an example - Restrict object uploads to objects with a specific storage class. Suppose Account A owns a bucket and the account administrator

问题 I am now trying to set up fineuploader-s3 to show an image of the file successfully uploaded on the aws server, as was done on the example page here: http://fineuploader.com/#s3-demo I am (still) using the code at https://github.com/Widen/fine-uploader-server/blob/master/php/s3/s3demo.php, and I’ve added uploadSuccess: { endpoint: "s3demo.php?success" } to the fine-uploader instance in my javascript file, so that the temporary link should be generated by the function in the s3demo.php file. I