Uly.me

cloud engineer

iam

AWS List Account Aliases

Here’s how to list account aliases. I have four profiles in my credentials. I’m looping through all four and printing the aliases.

#!/bin/bash
file='results-aws-account-aliases.txt'
> $file
declare -a account=("default" "one" "two" "three")
for i in "${account[@]}"
do
    echo '----------------------' >> $file
    echo 'Account: '$i >> $file
    aws iam list-account-aliases \
    --profile $i 
done

AWS CLI Search IAM UserID

Here’s how to search for an IAM user in AWS by filtering their access key.

aws iam list-users --query 'Users[?UserId==`AIDAxxxxxxxxxxxxxxxxx`]' \
--profile your-profile

The results only returns one user with that UserID.

[
    {
        "Path": "/",
        "UserName": "your-username",
        "UserId": "AIDAxxxxxxxxxxxxxxxxx",
        "Arn": "arn:aws:iam::xxxxxxxxxxxx:user/sa-lucidchart",
        "CreateDate": "2019-04-15T15:53:18+00:00"
    }
]

AWS IAM MFA

Here’s how to give AWS IAM users the ability to manage their own (MFA) Multi Factor Authentication. MFA makes your AWS console secure. AWS IAM users will be able to turn on MFA, using virtual devices such as Google Authenticator to secure their cloud accounts. Here’s the policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowViewAccountInfo",
      "Effect": "Allow",
      "Action": "iam:ListVirtualMFADevices",
      "Resource": "*"
    },
    {
      "Sid": "AllowManageOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": "arn:aws:iam::*:mfa/${aws:username}"
    },
    {
      "Sid": "AllowManageOwnUserMFA",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice",
        "iam:EnableMFADevice",
        "iam:ListUsers",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ResyncMFADevice"
      ],
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    }
  ]
}