I have a personal Amazon account which I use to do a lot of shopping. I also recently linked this account to AWS. Now at work, some guys are doing experiments with Amazon using my account. How can I let them access the admin console, etc without giving them my Amazon credentials. I am not willing to share my Amazon shopping history or other things I use on Amazon, just the cloud services such as EC2 and S3.
What they need is access to the full admin console, and any monitoring tools on AWS.
Use AWS Identity and Access Management (IAM).
AWS Identity and Access Management (IAM) enables you to securely
control access to AWS services and resources for your users. Using IAM
you can create and manage AWS users and groups and use permissions to
allow and deny their permissions to AWS resources
Related
We've implemented AWS SSO authentication with ActiveDirectory, corporate wise, for all our users. We use multiple AWS sub-accounts, so that ActiveDirectory users can connect to different AWS sub-accounts with their AD credentials, according to the AD group association with AWS policies.
This all works pretty well, however, it is not clear to me, how to implement following authorization properly. Some of our accounts have S3 buckets which should be available for all the users authenticated by the SSO, without regards of the user access rights.
What is the right way to organize that?
I'm a newbie in AWS infrastructure, and I can't figure out how to build auth process which I want.
I want to have something similar to what other cloud storages, like Box, Dropbox, Onedrive have:
developer registeres OAuth app with a set of permissions
client with one click can give a consent for this app to have listed permissions on his own account and it's content, eternally, until consent is deliberately withdrawn
Now, as far as I understand, client should go to console and create a user, create a role for him, then send this user's id and key to my app, which is not that convinient. I'm looking for a most easy and simple way to do that.
I've tested "Login with Amazon" + "Amazon Cognito", but it turned out as a completely opposite mechanism: client should set up Login, link it to Cognito, to provide me one click access.
So, is it even possible? Which is the best way to implement such auth process?
There isn't a way to do what you're trying to do, and I would suggest that there's a conceptual problem with comparing Amazon S3 to Dropbox, Box, or Onedrive -- it's not the same kind of service.
S3 is a service that you could use to build a service like those others (among other purposes, of course).
Amazon Simple Storage Service (Amazon S3), provides developers and IT teams with secure, durable, highly-scalable cloud storage.
https://aws.amazon.com/s3/
Note the target audience -- "developers and IT teams" -- not end-users.
Contrast that with Amazon Cloud Drive, another service from Amazon -- but not part of AWS.
The Amazon Cloud Drive API and SDKs for Android and iOS enable your users to access the photos, videos, and documents that they have saved in the Amazon Cloud Drive, and provides you the ability to interact with millions of Amazon customers. Access to the free Amazon Cloud Drive API and SDKs for Android and iOS enable you to place your own creative spin on how users upload, view, edit, download, and organize their digital content using your app.
https://developer.amazon.com/public/apis/experience/cloud-drive/
The only way for your app to access your app's user's bucket would be for the user to configure and provide your app with a key and secret, or to configure their bucket policy to allow the operation by your app's credentials, or to create an IAM role and allow your app to assume it on their behalf, or something similar within the authentication and authorization mechanisms in AWS... none of which sound like a good idea.
There's no OAuth mechanism for allowing access to resources in an AWS account.
I am new to S3 and am wonding how I could protect access to S3 or cloud front via Basic Authentification while installing a private certificate into Chrome, that allows access. Is there anything like this?
It is not possible to use Basic Authentication with Amazon S3 nor Amazon CloudFront.
Amazon S3 access can be controlled via one or more of:
Access Control List on the object level
Amazon S3 Bucket Policy
AWS Identity and Access Management (IAM) Policy
Amazon CloudFront has its own method of controlling access via signed URLs and signed cookies.
Is there any specific way to create a Cognito Identity Pool in a Amazon DynamoDB local setup? I have already setup the javascript shell and created several tables and have queried it. I need to provide a authenticated mode user login (Facebook, Amazon, Google) for my node application. I found several tutorials about how to set it up using AWS DynamoDB, but I need to know how I can create it using a local DynamoDB without accessing AWS DynamoDB.
Amazon DynamoDB local doesn't validate credentials, so it doesn't matter how you set up the Amazon Cognito identity pool or the roles for the pool. You will be able to interact with the CognitoCredentials object the same way if you are using Amazon DynamoDB or DynamoDB local.
It is important to note that you will not hoever be able to validate fine-grained access control unless you use the full service, again because DynamoDB local doesn't validate credentials.
I am exploring IAM Roles. I am wondering how roles can be accessed on behalf of a user on EC2.
Any help is highly appreciated.
Thanks
You usually do not have to do anything special after launching an EC2 instance with an IAM Role for Amazon EC2 (I figure from your duplicate questions, that you've already done this), conceptually all you have to do are the following steps:
create an IAM role for EC2
configure IAM policies for that role to match your use case
launch an EC2 isntance with your IAM role
use IAM role aware tools, which will pick up the credentials from the role automatically
Let me stress the last aspect again: you do not need to do anything but configure the required IAM credentials on the role and IAM role aware tools will pick the resulting credentials up automatically from the EC2 instance metadata!
If you really must (but you shouldn't, see next paragraph), you could do the same yourself as explained in Retrieving Security Credentials from Instance Metadata.
In particular, you should use AWS only by one of the following means for everything but highly special use cases:
Command Line Usage
Unix/Linux/Windows - use the AWS Command Line Interface, which is a unified tool to manage your AWS services.
see Option #3 within AWS Credentials regarding the IAM role support
Windows only - use the AWS Tools for Windows PowerShell , which lets developers and administrators manage their AWS services from the Windows PowerShell scripting environment.
see section IAM Roles for EC2 Instances and the AWS Tools for Windows PowerShell within AWS Credentials regarding the IAM role support
Programmatic Usage
Use the appropriate AWS SDK for your language of choice, see Tools for Amazon Web Services for an extensive listing of what's available.
see each SDK's documentation for details regarding the IAM role support (again, it will just work once you have implemented steps 1-3 above correctly).