5,639 questions
1
vote
0
answers
19
views
How to capture IAM user identity in Aurora MySQL audit logs when connecting through AWS TEAM elevated access?
I’m using TEAM elevated access for AWS in my organization to temporarily access an Aurora MySQL cluster.
TEAM provides database access through a tunneled MySQL session using a generic database ...
0
votes
1
answer
48
views
AWS S3 SCP Policy to Prevent Disabling Public Access Block but Allow Re-enabling
I need to create an AWS IAM policy that prevents users from disabling the "Block all public access" configuration on S3 buckets, but still allows them to re-enable it if it was already ...
- 1,146
0
votes
1
answer
40
views
What is the correct IAM resource for allowing querying on CloudWatch metrics?
I have a nodejs service that queries CloudWatch metrics. Specifically, the AWS/ES namespace. For development I use a poweruser, so the access is straightforward and it works. But in deployed envs I ...
- 7,489
-1
votes
1
answer
59
views
AWS IAM permission policy for EC2 instances access doesn't work [closed]
I'm new to AWS and I want to restrict access for a group of users to have full access to EC2 services only. Below are the steps I did:
Created a IAM group named "EC2 Admins"
Created an ...
- 1
0
votes
1
answer
35
views
DP for AWS multi account role provision from central org
I have multiple AWS accounts linked to a single org account.
I would like to provision:
'IAM Admin' roles in each, with a policy which allows IAM:* such that it can create and provision policy for ...
- 389
1
vote
0
answers
30
views
Trust policy issues with 'dms-access-for-endpoint' IAM role
I'm building DMS solution which pulls data from Azure SQL Server to Redshift. I'd like to limit the Trust Policy of the dms-access-for-endpoint role. All works fine with the basic setup, ie:
{
...
- 79
0
votes
0
answers
45
views
AWS S3: (403) when calling the HeadBucket operation: Forbidden
I have been trying for some time now to execute the following command in my AWS CodeBuild project:
aws s3api head-bucket --bucket my-bucket-name --region ca-central-1
Yet I get the following error ...
- 846
0
votes
0
answers
56
views
Using SSMSessionRunAs from a primary user when switching roles in the AWS console
We each have a primary AWS user account that we use to log in to the AWS console. We use Session Manager to access Linux instances, automatically logging in to them as a specific OS user based on the ...
- 2,817
1
vote
1
answer
149
views
Confluent Schema Registry upgrade causing IAM authorization error with AWS MSK Kafka
We are running Kafka in AWS using MSK. We're also using Confluent's Schema Registry to manage Avro schemas used with Kafka. We run the Schema Registry in a container. We are trying to upgrade our base ...
- 427
1
vote
2
answers
619
views
Connecting to Elasticache Valkey Using IAM Role
tl;dr Working in Go, and had to write my own token signing method connect to Valkey Instance in Elasticache. Keep getting error: "WRONGPASS invalid username-password pair or user is disabled.&...
- 13
0
votes
1
answer
77
views
How to use CloudWatch Contributor Insights in DynamoDB if my organization only allows for it to be enabled using Machine Roles
Our team has been running into challenges with hot partitions and we have determined that Contributor Insights would be a great tool to use for future hot partitioning issues.
The problem is we do no ...
- 255
2
votes
1
answer
140
views
How to prevent transitive tags, which are set by EKS Pod Identity, from propagating?
When using EKS Pod Identity add-on, sessions are automatically tagged with transitive tags.
There are two issues with this:
All roles transitively must have sts:TagSession in their trust policy, ...
- 5,391
1
vote
1
answer
162
views
How to provide S3 bucket access to specific IAM Identity Center (AWS SSO) users while blocking access from other users?
My company has a root AWS account and child accounts. I don't have access to the root account, so I can't tell with detail what is the exact hierarchy. Users are managed through IAM Identity Center in ...
- 63
0
votes
0
answers
74
views
How to connect RDS MySQL db using IAM assumed role in Python
I have service running in AWS account A1 and that has the AWS IAM role R1. My service is attached to a service account that has access to role R1.
Now I have an RDS MySQL cluster setup in a different ...
3
votes
1
answer
247
views
AWS Service IAM Roles - do they allow cross-account access by default (unless prohibited)?
AWS Service IAM Roles, including built-in ones, seem to often have trust policies like this, that specify no limits on the Source ARN or the Source Account of whatever service is trying to assume the ...
- 121
0
votes
0
answers
17
views
AWS Patching cross account connectivity
We are planning to implement the AWS Patch Manager solution to patch our Windows and Linux EC2 instances. We will be setting up a WSUS/Satellite server in a shared account and, in the client account (...
2
votes
1
answer
82
views
How to hide a specific DynamoDB attribute from the AWS Console?
I'm trying to hide a sensitive DynamoDB attribute from being visible in the AWS Console for certain IAM users viewing a specific DynamoDB table.
I tried this approach (and many variations of it):
{
&...
- 1,030
0
votes
0
answers
183
views
AppConfig:StartConfigurationSession managed IAM policy attached to the Amplify unauthorized user role is being ignored
I'm using Amplify Gen.2 with custom CDKs to deploy my AWS backend for my iOS app written in Swift.
One of the CDK constructs implements the AWS AppConfig service, that's also where I'm setting the ...
- 1,634
0
votes
0
answers
282
views
How do I create a correct signature for AWS Elasticache IAM authentication in C#?
I have been trying to authenticate with an Elasticache cluster using IAM authentication in .NET8 and failing with the following error:
Unhandled exception. StackExchange.Redis....
- 557
0
votes
1
answer
925
views
AWS Opensearch serverless 403 Forbidden when calling inside an ECS task with java OpensearchClient
I have set up a serverless collection. From my local environment I can put and search the index with java OpensearchClient
this.client = new OpenSearchClient(
new AwsSdk2Transport(
...
0
votes
0
answers
80
views
IAM aws-cli commands having issues in gov?
I have an account in us-gov-west-1 region.
Inside the AWS console cloudshell, I'm trying to run aws-cli commands. It looks like IAM calls fail, but others work.
Every time I'm trying to run a IAM ...
-1
votes
1
answer
115
views
Unable to get updated image from ECR using docker compose --pull
I have a private AWS ECR which holds my private docker image. I'm pulling and running this image from within an EC2 in the same account as the private repo. ECR Helper is installed, configured, and ...
- 2,235
1
vote
1
answer
400
views
Do I need AmazonECSTaskExecutionRolePolicy as a task role in aws ecs faragate
I am running a AWS ECS faragate task , I have noticed that in the task roles both task role and task execution role is set to ecstaskexecutionrole that contains the AmazonECSTaskExecutionRolePolicy, I ...
-2
votes
1
answer
82
views
Accessing AWS resources from outside of AWS ecosystem
I have a SpringBoot application that is running on EC2 as a docker container and it is accessing S3, Postgres and Kafka (MSK). The app is doing video processing and using GPUs. I am planning to ...
- 61
0
votes
1
answer
46
views
Access Key not being accepted after creation
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials....
- 3