amazon-iam

问题 Thanks a lot for your help in advance I'm trying to setup my AWS Neptune environment by following the instruction at https://docs.aws.amazon.com/neptune/latest/userguide/get-started.html . The setup seems to be fine, and I could check the status by using the Neptune Notebook install. The status message as: { "status": "healthy", "startTime": "Tue May 12 04:24:52 UTC 2020", "dbEngineVersion": "1.0.2.2.R2", "role": "writer", "gremlin": { "version": "tinkerpop-3.4.3" }, "sparql": { "version":

问题 I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently. I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix , but it doesn't work (access is denied): { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_NR_A:root" }, "Condition": { "ArnLike": { "aws:SourceArn":

问题 I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently. I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix , but it doesn't work (access is denied): { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_NR_A:root" }, "Condition": { "ArnLike": { "aws:SourceArn":

问题 How can I allow all members of a Group to assume a Role in AWS IAM? I tried Using the following statement but as specified in AWS IAM Principal Element, a Group can not be a Principal. I want to achieve something like below: { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::***:group/developer" }, "Action": "sts:AssumeRole" } ] } The idea is that all members of the group group/developer should be able to assume the role. The

问题 I have a Bucket Policy (listed below) that is supposed to prevent access to an S3 bucket when accessed from anywhere other than a specific VPC. I launched an EC2 instance in the VPC, tested and confirmed that S3 access works fine. Now, when I access the same S3 bucket over web console, I get 'Error - Access Denied' message. Does this mean that aws:SourceVpc condition key is present in the request context when interacting with S3 over web console as well? My assumption is that it is present in

问题 I have a Bucket Policy (listed below) that is supposed to prevent access to an S3 bucket when accessed from anywhere other than a specific VPC. I launched an EC2 instance in the VPC, tested and confirmed that S3 access works fine. Now, when I access the same S3 bucket over web console, I get 'Error - Access Denied' message. Does this mean that aws:SourceVpc condition key is present in the request context when interacting with S3 over web console as well? My assumption is that it is present in

问题 I am using Terraform to construct our applications infrastructure, its been executed from a container. At the beginning I have attached a IAM (AWS) role which basically provide the container with Admin permissions (which is a mistake, i know). Now i need to create a role that is minimal for the existing state. I have a lot of services and resources in that terraform plan. Is there a tool that can read a state or a plan and generate a list of necessary IAM policies? Or what would be the best

问题 Using Dynamo DB for my application. I have some critical reference values and want to keep those in DynamoDB. I am not very sure about this but can we have a policy or way to restrict that DynamoDb table access from any VPC? Thanks Kiran 回答1: Limiting access from a VPC is not possible, since DynamoDB operates as a regional manage service outside your VPC. However there are several other ways to implement access control to Dynamodb. 1) Using IAM user access keys and policies 2) Using federated

问题 I am trying to query Athena View from my Lambda code. Created Athena table for S3 files which are in different account. Athena Query editor is giving me below error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; I tried accessing Athena View from my Lambda code. Created Lambda Execution Role and allowed this role in Bucket Policy of another account S3 bucket as well like below: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS"

问题 I am trying to query Athena View from my Lambda code. Created Athena table for S3 files which are in different account. Athena Query editor is giving me below error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; I tried accessing Athena View from my Lambda code. Created Lambda Execution Role and allowed this role in Bucket Policy of another account S3 bucket as well like below: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS"