how can we make sure that a particular policy ( say S3 bucket access restriction policy ) is attached to all newly created Roles.
Can we write a Lambda that gets triggered only when a new Role is created and check and if missing attached required policies?
AttachRolePolicy API can be used to attach policy to a role. Are there any examples available in AWS Lambda to get this done?
Does Terraform provides any such modules readily available that can be referred in this context.
Yes, this is possible. You can configure a lambda function that's triggered by EventBridge via CloudTrail when a specific AWS API is called. Take a look at the doc here. Since this is pretty simple, I don't think there is a specific module created for this. You can write your own directly based on the resources in the AWS provider.
Python SDK for AWS Boto3, is having multiple APIs that can be used like adding a role, policy etc. It is very simple and documentation is awesome.
https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html
an example to attach a policy to an existing role:
client= boto3.resource('iam')
response = client.attach_role_policy(
PolicyArn='arn:aws:iam::aws:policy/ReadOnlyAccess',
RoleName='ReadOnlyRole',
)
Similarly other clients can be grabbed for other AWS services.
Related
I'm trying to create a cross account codepipeline and there is no appropriate document for this scenario.
AccounT - A has s3 bucket with yaml file
Account- B Will have Codepipeline
Account B codepipeline should have S3 as source in source stage from Account A and cloudformation deploy method in deploy stage. Can someone please help on what are the roles and other needs has to fulfilled to achieve this task.
There are two things that you need to make this work.
Your bucket needs to use a customer KMS key, not the default. This is because you can't grant permissions to another account to use the default key, meaning another account can't decrypt the data in the bucket. You need to grant permission in the key policy to allow the other account to decrypt using that key. Ideally not just to the entire account, but the role that is being used in your CodePipeline source step.
You have to grant access to the other account in your S3 bucket policy. Ideally not just to the entire account, but the role that is being used in your CodePipeline source step.
I have a project that does some of this using organizations. It isn't exactly what you want, in that the CodePipeline in my project lives in "AccountT" and the pipeline runs CloudFormation (or other things) run in "Account-B". So in my case only CloudFormation is reaching back to the bucket in "AccountT". I don't think it should be a big change to modify it to work the way you need it to work. My project is largely based off this AWS article.
I'm using AWS amplify to create an app, where users can upload images using either private or public file access levels, as described in the documentation. Besides this, I've implemented a lambda function which upon request through API gateway modifies an image and returns a link to the modified image.
What I want is that a given user should be able to call the API and modify only his own images, but not that of other users; i.e. allow the AWS lambda function to use the execution role from the cognito user. If I allow the lambda function to access all data in the S3 bucket then it works fine - but I don't want users to be able to access other users images.
I've been at it for a while now, trying different things to no avail.
Now I've integrated the API with the user pool as described here:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
And then I've tried to follow this guide:
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/
Which does not work since the "cognito:roles" is not present in the event variable of the lambda_handler (presumably because there are not user pool groups?).
What would the right way be to go about this in an AWS Amplify app?
Primarily, I've followed this guide:
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/
Use API Gateway request mapping and check permissions in Lambda itself:
Use API Gateway request mapping to pass context.identity.cognitoIdentityId to Lambda. Just it should be a Lambda integration with mapping (not a Proxy integration). Another limitation is that API request should be POST, for GET it's also possible if you map cognitoIdentityId to query string.
Lambda has access to all files in S3
Implement access control check in Lambda itself. Lambda can read all permissions of the file in S3. And then see if owner is Cognito user.
Normally, when I want to create an S3 client for an application that is running on my local machine, I do something like this:
val client = new AmazonS3EncryptionClient(new BasicAWSCredentials(ACCESS_KEY, SECRET_KEY), encryptionMaterials)
When I run within Lambda though, I expect I shouldn't need the credentials part because that's handled by the role Lambda assumes. How do I do that?
In your Lambda console, there is a panel where you can set the IAM role used by your Lambda function.
You can then configure that role and attach policies to it by going to your IAM Management Console.
I'm trying to add programmatically a "working" AWS account via API.
Actually I'm performing this operations:
Authentication
CreateUser (login)
CreateLoginProfile (password)
When I go on "AWS" console I get an error an if I look to the Accounts linked to the Organization I can't find my new account.
But if I go on https://console.aws.amazon.com/iam/home#/home the user is there.
Do I'm missing something? Is there any difference between USER and ACCOUNT?
Of course USER and ACCOUNT are different. An account contains users and other resources (S3 bucket, EC2 instance).
If you want to create new AWS account, you need to use Organizations API.
See:
create-account in the AWS CLI
CreateAccount documentation
I want to create a Python Lambda function to take uploaded s3 images and create a thumbnail version of them.
I have permission problems where I cannot get access to my bucket. I understand that I need to create a bucket policy. I don't understand how I can make a policy which works for a lambda request performing the thumbnail process?
It sounds like you want to do the following:
Fire lambda whenever the something is uploaded to your bucket
Read a file from the bucket
Write a (thumbnail) file back to the bucket
You'll need 3 different permissions to do that:
The S3 service will need permission to invoke your lambda function (this is done for you when you add an S3 event source via the AWS Lambda console).
The lambda execution role (the one selected on the Configuration tab of the Lambda Console) will need read/write access to call S3. You can generate a policy for this on the policy generator by selecting IAM Policy from the drop down and then selecting the S3 permissions you need.
For added security, you can set a bucket policy on S3 to only allow the lambda function to access it. You can generate this from the policy generator as well by selecting S3 policy. You would then enter lambda.amazonaws.com as the Principal.