amazon-iam

问题 We have a few users which basically have access to everything using the following policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } Is there a way to restrict access to selected VPCs? I have tried creating the following policy and attach it to the user (via a group): { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1504660000000", "Effect": "Deny", "Action": [ "ec2:*" ], "Resource": [ "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC

问题 When I run my app and logins with google account, it gives me the cognito provider. Now I am trying to upload a file to S3 bucket from the app. First I am trying to upload a file from my local laptop, then I will change it to upload from the app. Here is my code provider = new CognitoCachingCredentialsProvider(mContext, AWS_ACCOUNT_ID, IDENTITY_POOL_ID, UNAUTH_ROLE_ARN, AUTH_ROLE_ARN,Regions.EU_WEST_1); client = new CognitoSyncManager(mContext, IDENTITY_POOL_ID, Regions.EU_WEST_1, provider);

问题 I'm trying to allow one user to all actions on us-west-2, this is the policy I have. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:*"], "Resource": "arn:aws:ec2:us-west-2:837625274593:*" } ] } I got the account number from "OWNER" parameter on an instance, not sure if is it. 回答1: { "Statement": [ { "Sid": "Stmt1375943389569", "Action": "ec2:*", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:Region": "us-west-2" } } } ] } That should

问题 An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html 回答1: Azure also supports IAM. Microsoft Azure identity and access management solutions help IT protect access to applications and resources across the corporate data center and into the cloud. This enables additional levels of validation, such as multifactor

问题 On occasion, I need to access multiple AWS resources that I have individual access for with separate IAM roles. If I need these resources to be used together, I currently have to figure out a non-native connector piece. If I could access the resources together at the same time, I can sometimes use an AWS connector to interface with both resources at once (for example). Is there a way to assume multiple IAM roles at the same time? 回答1: Technically, yes, there is a way to assume multiple IAM

问题 I am trying to retrieve a file in my cloudformation script. If I make the file publicly available, then it works fine. If the file is private, then the cfn script fails, but with a 404 error in /var/log/. Trying to retrieve the file via wget results in the appropriate 403 error. How can I retrieve private files from S3? My file clause looks like: "files" : { "/etc/httpd/conf/httpd.conf" : { "source" : "https://s3.amazonaws.com/myConfigBucket/httpd.conf" } }, I added an authentication clause

问题 I am using aws cognito service for authentication with Unity3D. I wonder whether there is security problem if 'identity-pool id' is hardcoded to script. For the security, how do deveopers implement? Is there anybody to suggest? 回答1: If you plan on releasing the source code, exposing identities and authentication information is a bad idea. What you could do is make your code to fetch the Identity Pool ID from a separate file and commit that file that has the connection string, or in this case,

问题 I'm trying to allow all EC2 instances in our AWS account to stop themselves (using an automated script that uses the aws cli). I try to do so by creating an AWS IAM role with the propper policy. However, I can't find how to define the policy to only Allow instances to stop itself (and not other instances). I tried with the following policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:StopInstances" ], "Resource": [ "${ec2:SourceInstanceARN}" ] } ] } But on

问题 One of my clients wants to understand IAM feature before migrating business application to Amazon cloud. I have figured out two use cases which we can recommend to our client, these are: Resource-Level Permissions for EC2 • Allow users to act on a limited set of resources within a larger, multi-user EC2 environment. • Control which users can terminate which instances. • Restricting a user access to a single EC2 instance ( currently not supported by amazon API’s) IAM Roles for Amazon ec2

问题 The user uploads an image to his/her subfolder on S3. The only way this can be enforced with policy is by using identity id: arn:aws:s3:::thebucket/${cognito-identity.amazonaws.com:sub}/avatar.jpg A lambda that transforms that image, is triggered, and saves the transformations to a different S3. But now, with the identity id on disposal, that lambda needs to update the user's db record with the references to the avatar transformations. This is where the issue is evident, I only have the