amazon-iam

I'm attempting to introduce a guest IAM policy to restrict the access to the EC2 instances. I'm trying to reach that, the guest policy shows only that instances, which is not tagged with 'Department' or tagged with 'Department = Guest'. Here is the policy, that I made for this: Policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Department": "Guest" }, "Null": { "ec2:ResourceTag/Department": "true" } } } ]} The "Department = Guest" comparison is working

I am trying to use newly added User Groups in User Pool and integrate the same with Federated Identities. I followed these steps: Create Groups in user pool with roles created in IAM having separate policies Create User and add them to user groups Create an Identity Pool and add that Cognito provider under Authentication providers using app id and client id. Here I don't get Authenticated role selection under which I have to select Choose role from token I Save Changes and generate the default policies for authenticated and unauthenticated users After the Identity Pool creation i edit it to

This is part of the code of my template.yml in Cloud9: Type: 'AWS::Serverless::Function' Properties: Handler: index.handler Runtime: nodejs6.10 CodeUri: . Description: Updates records in the AppConfig table. MemorySize: 128 Timeout: 3 Role: 'arn:aws:iam::579913947261:role/FnRole' Events: Api1: Type: Api Properties: When I commit the changes in Cloud9, deployment fails at CodePipeline Deploy stage while trying ExecuteChangeSet . I get this error: CloudFormation is not authorized to perform: iam:PassRole on resource Can anyone help? While I can't say specifically what happened in your situation,

I am trying to write an IAM policy which will control access to EC2 instances. All EC2 instances will have a custom tag called username and only if the tag value matches the logged in user's user name, will that user have access to that EC2 instance. This is what I came up with: { "Version": "2012-10-12", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/username": "arn:aws:iam::account-number-without-hyphens:user/username1" } } } ] } I am sure you see the problem here. I don't want to hard code the username value on the

I am trying to give a programmatic IAM user access to a single bucket. I setup the following policy and attached it to the user: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mybucket" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::mybucket/*" ] } ] } Trying to programatically upload a file I got a 403. I got this policy from here: Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket I verified that everything else is working by then

I'm using AWS IAM STS (via boto) to create credentials for my accessing an S3 bucket. I'm at a loss as to what's wrong in the following policy. I've simplified my policy down as much as possible and am still getting unexpected results. When I get the token for the user I attach the following policy: user_policy_string = r'{"Statement":[{"Effect":"Allow","Action": "s3:*","Resource":"arn:aws:s3:::*"}]}' This works, but is obviously a little too permissive. In narrowing down the permissions associated with these credentials I attempt to use the same policy, but specify the bucket: user_policy