How to look for an access key in AWS. Find the account.
$ aws sts get-access-key-info --access-key-id AKIA8XXXXXXXXXXXXXXX { "Account": "XXXXXXXXXXXX" } |
access
Sudoers File Explained
You are probably wondering how the sudoers file works. Here’s a simple explanation.
Command
username host=(user:group) tag:commands |
Explanation
-
- username – the specified user allowed to run commands.
- host – the specified host the command is allowed to run.
- user – specifies which users can use the command.
- group – specifies which groups can run the command.
- tag – the option allowed. NOPASSWD
- command – the command allowed to run.
Examples
root ALL=(ALL) ALL username ALL=(ALL) ALL john test=(ALL) NOPASSWD: /bin/useradd jane ALL=(sales) NOPASSWD: /bin/sh %sudo ALL=(ALL) ALL %adgroup ALL=(ALL) ALL |
AWS IAM Self Manage Policy
Here’s the permission needed for an AWS user to manage their own IAM account. The policy allows them to view their own account information, change their own passwords, rotate access keys and certificates, and manage their own git credentials.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary" ], "Resource": "*" }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetAccessKeyLastUsed", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] } |