amazon-iam

Correct S3 Policy For Pre-Signed URLs

我的梦境 提交于 2019-12-09 17:29:43
问题 I need to issue pre-signed URLs for allowing users to GET and PUT files into a specific S3 bucket. I created an IAM user and use its keys to create the pre-signed URLs, and added a custom policy embedded in that user (see below). When I use the generated URL, I get an AccessDenied error with my policy. If I add the FullS3Access policy to the IAM user, the file can be GET or PUT with the same URL, so obviously, my custom policy is lacking. What is wrong with it? Here's the custom policy I am

AWS Firehose cross region/account policy

有些话、适合烂在心里 提交于 2019-12-09 04:14:29
I am trying to create Firehose streams that can receive data from different regions in Account A, through AWS Lambda, and output into a redshift table in Account B. To do this I created an IAM role on Account A: { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "firehose.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } I gave it the following permissions: { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3

AWS cognito userpools JavaScript SDK get user's policy documents

丶灬走出姿态 提交于 2019-12-08 18:26:03
问题 For a registered user in AWS Cognito Userpools, is it possible to retrieve the policy documents attached to the user through IAM roles through JavaScript SDK? The user case is to write a custom authorizer which authorize cognito id token and return the policy document with the IAM permission, user is capable of assuming through Cognito User Groups. 回答1: After carrying out further research, following approach is used to retrieve 'inline policies' attached to the user through IAM roles. From

Rename an IAM Role

拜拜、爱过 提交于 2019-12-08 16:17:49
问题 I made a typo while creating an IAM role to allow a lambda function to access the cloudwatch logs and to create EC2 volumes snapshots. Is there any way to rename the role, whether by using the console or the AWS CLI ? 回答1: You cannot edit IAM roles after the role has been created. This is mentioned in several places, including when the role is created through the IAM console. And in several places in the docs. For Role name, type a role name to help identify the purpose of this role. Role

API gateway how to pass AWS IAM authorization from rest client

一曲冷凌霜 提交于 2019-12-08 15:44:59
问题 I am trying to test authenticated API gateway endpoint from rest client. How to I generate/set the "AWS_IAM" authorization headers when making the request ? 回答1: You can use Cognito with a "public" pool id, then attach role to the Cognito pool id, the role being accessing your API GATEWAY AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'REGION:YOUR_POOL_ID', }); Use AWS STS to get temporary credentials with limited privileges. After that you can use API Gateway

The policy failed legacy parsing

你。 提交于 2019-12-08 14:30:11
问题 I am trying to create IAM Role in AWS, but while I am creating I am facing error "We encountered the following errors while processing your request: Problem in attaching permission to role. Role will be created without permission. The policy failed legacy parsing " {"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" }, { "Action": [ "sqs:SendMessage", "sqs:GetQueueUrl"

Amazon S3 objects: is it possible to restrict public read policy to some IP adresses only ?

时间秒杀一切 提交于 2019-12-08 09:54:08
问题 A have a bucket with a public read policy. Now I want to restrict access to some of the objects in order to be accessible only from some IP adresses. Is this possible? I also plan to add CloudFront. What should I do to keep the same settings on each object? Thanks! 回答1: You can use S3 bucket policy. But instead of individual files it will be applied to individual folders in the bucket. You can use policy like the following: { "Version": "2008-10-17", "Id": "testPolicy", "Statement": [ { "Sid"

What policy templates should an AWS IAM user have in order to deploy an EB application?

僤鯓⒐⒋嵵緔 提交于 2019-12-08 09:39:04
问题 What policy templates should an AWS IAM user have in order to deploy and maintain an EB application (e.g. website code from a client machine)? IAMReadOnlyAccess plus PowerUserAccess seem sufficient, but I'm wondering whether the latter is overkill. Can I restrict policies to a single EB instance or application? 回答1: When you create an IAM role in the Web Console, there is a pre-defined role called ElasticBeanstalkFullAccess . This will give you full permission to all underlying resources that

How to generate the AWS root account ARN in CloudFormation?

*爱你&永不变心* 提交于 2019-12-08 07:28:52
问题 The situation I am generating a KMS Key in CloudFormation. According to the KMS policy documentation, it is crucial to create a policy where the Principal is the account itself, in order for IAM policies to be able to grant access to the key. The question How can I create the ARN for the account root in CloudFormation? 回答1: The answer { "Fn::Join":[ ":", [ "arn:aws:iam:", { "Ref":"AWS::AccountId" }, "root" ] ] } Why does this work? First, let's examine the line, "Ref":"AWS::AccountId" . This

IAM Group Policy for S3 bucket: deny folders but not files

不羁的心 提交于 2019-12-08 05:57:18
问题 this question references the same aws blog I've been trying to leverage in order to meet my needs, but without any success. I've been hacking on the solution in that answer AND the example policies it references all day without any success. I'm basically looking to allow different IAM groups full access to a common subfolder object within a bucket while selectively allowing/denying access to OTHER subfolders object based on group membership. Bucket structure: my-finance-bucket\ my-finance
订阅 amazon-iam