amazon-iam

问题 I have the following policy defined on a Cognito role { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:ap-southeast-2: NUMBER:table/myapplication_product" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] } As you can see, it should allow access to GetItem, UpdateItem and Scan, but I'm finding that

问题 Today I have a new AWS Lambda question, and can't find anywhere in Google. I new a Lambda function, there is no question. But when I input any code in this function[eg. console.log();] and click "Save", error is occured: "The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2" exports.handler = (event, context, callback) => { callback(null, 'Hello from Lambda'); console.log(); // here is my code }; I bound the function with Role: lambda_excute_execution

问题 I’m trying to use the new DynamoDB BatchResolvers to write to two DynamoDB table in an AppSync resolver (currently using a Lambda function to do this). However, I’m getting the following permission error when looking at the CloudWatch logs: “User: arn:aws:sts::111111111111:assumed-role/appsync-datasource-ddb-xxxxxx-TABLE-ONE/APPSYNC_ASSUME_ROLE is not authorized to perform: dynamodb:BatchWriteItem on resource: arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-TWO (Service: AmazonDynamoDBv2;

问题 I am creating S3 buckets in a program using ' standard-prefix-{variable} '. In trying to create an IAM policy so a user can update, create, delete buckets in an account, but only if the bucket name contains the 'standard-prefix'. IE, I don't want to allow modifying other buckets in the account. I'm finding many ways to limit access to resources within a bucket, given a specific bucket name, but no way of limiting access when the bucket names are changing. Something like (which doesn't seem to

问题 I'm using the AWS CLI to create a CloudFront distribution in a script: aws configure set preview.cloudfront true aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*' I have a policy set up with this statement: { "Sid": "xxx", "Effect": "Allow", "Action": [ "cloudfront:CreateInvalidation" ], "Resource": [ "arn:aws:cloudfront::xxx:distribution/ABCD1234" ] } The policy is attached to the user that is running the command. However, I still get this error: A client error

问题 I'm working on a nodejs application on AWS for the first time and am still learning all the services. I'm working on my applications authentication and authorization and am at the point to create my user roles and groups. Is the AWS IAM service meant for both AWS management and for your application's user authorization or should I use one of nodejs's ACL modules and manage my roles and users outside of AWS IAM service? 回答1: Should you use AWS IAM roles and permission for application users? No

问题 In my development environment, I regularly switch between several AWS access keys. So in my ~/.aws/credentials file, I have several profiles. I can then use these profiles with aws-cli by specifying the --profile <name> flag. I develop several apps that use the Ruby AWS SDK. They are setup to read credentials from the ~/.aws/credentials file (the SDK does this by default, see this configuration article). The problem is that the SDK always reads from the default profile. I would like to be

问题 I have been trying for the better part of a day. I am, as an administrator, attempting to require users to check the "Automatically encrypt objects when they are stored in S3" button (AES256) when creating their S3 buckets. I've tried about everything can think of. So far, I have only gotten 2 separate results. As a test user, I am either allowed to create buckets (with or without checking encryption), or I am denied (with or without checking encryption). The last effort has resulted in the

问题 I have been trying for the better part of a day. I am, as an administrator, attempting to require users to check the "Automatically encrypt objects when they are stored in S3" button (AES256) when creating their S3 buckets. I've tried about everything can think of. So far, I have only gotten 2 separate results. As a test user, I am either allowed to create buckets (with or without checking encryption), or I am denied (with or without checking encryption). The last effort has resulted in the

问题 I am trying to create Firehose streams that can receive data from different regions in Account A, through AWS Lambda, and output into a redshift table in Account B. To do this I created an IAM role on Account A: { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "firehose.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } I gave it the following permissions: { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [