How to look for an access key in AWS. Find the account.
$ aws sts get-access-key-info --access-key-id AKIA8XXXXXXXXXXXXXXX { "Account": "XXXXXXXXXXXX" } |
cloud engineer
by Ulysses
How to look for an access key in AWS. Find the account.
$ aws sts get-access-key-info --access-key-id AKIA8XXXXXXXXXXXXXXX { "Account": "XXXXXXXXXXXX" } |
$ aws sts get-access-key-info --access-key-id AKIA8XXXXXXXXXXXXXXX { "Account": "XXXXXXXXXXXX" }
by Ulysses
You are probably wondering how the sudoers file works. Here’s a simple explanation.
Command
username host=(user:group) tag:commands |
username host=(user:group) tag:commands
Explanation
Examples
root ALL=(ALL) ALL username ALL=(ALL) ALL john test=(ALL) NOPASSWD: /bin/useradd jane ALL=(sales) NOPASSWD: /bin/sh %sudo ALL=(ALL) ALL %adgroup ALL=(ALL) ALL |
root ALL=(ALL) ALL username ALL=(ALL) ALL john test=(ALL) NOPASSWD: /bin/useradd jane ALL=(sales) NOPASSWD: /bin/sh %sudo ALL=(ALL) ALL %adgroup ALL=(ALL) ALL
by Ulysses
Here’s the permission needed for an AWS user to manage their own IAM account. The policy allows them to view their own account information, change their own passwords, rotate access keys and certificates, and manage their own git credentials.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary" ], "Resource": "*" }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetAccessKeyLastUsed", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] } |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary" ], "Resource": "*" }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetAccessKeyLastUsed", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }
by Ulysses
Here’s a standard S3 policy to grant an IAM user access to a bucket within an AWS account. User is allowed to add, update, and delete objects. These 3 actions s3:ListAllMyBuckets, s3:GetBucketLocation, and s3:ListBucket are the additional permissions required to access the console. Also, the s3:PutObjectAcl and the s3:GetObjectAcl actions are required to be able to copy, cut, and paste objects within the console.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListAllMyBuckets" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::examplebucket" }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject" ], "Resource":"arn:aws:s3:::examplebucket/*" } ] } |
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListAllMyBuckets" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::examplebucket" }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject" ], "Resource":"arn:aws:s3:::examplebucket/*" } ] }
by Ulysses
Here’s how to add an AWS user using the CLI.
aws iam create-user --user-name john.doe \ --tags Key='Name',Value='John Doe' Key='Role',Value='Admin' |
aws iam create-user --user-name john.doe \ --tags Key='Name',Value='John Doe' Key='Role',Value='Admin'
Create an access key for the user.
aws iam create-access-key --user-name john.doe |
aws iam create-access-key --user-name john.doe
by Ulysses
If unable to login via SSH, check the /etc/ssh/sshd_config for AllowGroups.
AllowGroups root groupname |
AllowGroups root groupname
It’s case sensitive.
by Ulysses
Give Instances access to other cloud services using scopes.
gcloud alpha compute instances set-scopes instance-name \ --project project-name --zone us-central1-a \ --scopes=cloud-platform,cloud-source-repos,compute-rw,storage-rw |
gcloud alpha compute instances set-scopes instance-name \ --project project-name --zone us-central1-a \ --scopes=cloud-platform,cloud-source-repos,compute-rw,storage-rw