- Newest
- Most votes
- Most comments
Any Deny statements override Allow statements, so the best approach is to go hunting for them. In this case your policies include AWSCompromisedKeyQuarantineV2 which contains:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"cloudtrail:LookupEvents",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateUser",
"iam:DetachUserPolicy",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateLoginProfile",
"iam:UpdateUser",
"lambda:AddLayerVersionPermission",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetPolicy",
"lambda:ListTags",
"lambda:PutProvisionedConcurrencyConfig",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:UpdateFunctionCode",
"lightsail:Create*",
"lightsail:Delete*",
"lightsail:DownloadDefaultKeyPair",
"lightsail:GetInstanceAccessDetails",
"lightsail:Start*",
"lightsail:Update*",
"organizations:CreateAccount",
"organizations:CreateOrganization",
"organizations:InviteAccountToOrganization",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketOwnershipControls",
"s3:DeleteBucketPolicy",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketPolicy",
"s3:ListAllMyBuckets",
"ec2:PurchaseReservedInstancesOffering",
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:CreateReservedInstancesListing",
"savingsplans:CreateSavingsPlan"
],
"Resource": [
"*"
]
}
]
}
Hello, Please check the S3 bucket policy too. If a user wants to use the AWS Management Console to view buckets and the contents of any of those buckets, the user must have the s3:ListAllMyBuckets and s3:GetBucketLocation permissions. for example { "Id": "Policy1686696361193", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1686696358634", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": [ "arn:aws:iam::1111222333444:group/mygroup" ] } } ] }
Useful Links: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html
Relevant content
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thanks for the reply. Yes, you are right. This policy "AWSCompromisedKeyQuarantineV2" has limited my access due to which I can not view buckets in S3 service but the problem is that this policy has also limited my access to the IAM due to which I can not remove this policy from my user. Can you guide me in this regard? Thanks
Please have a look at https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCompromisedKeyQuarantineV2.html - your access has been limited for a reason. As it says there, "Do NOT remove this policy. Instead, please follow the instructions specified in the support case created for you regarding this event.".
Hi, I have tried to follow the instructions. Instruction say that i have to create new access key and i should delete the old one before removing this policy but the problem is that I do not have now permissions to do these steps because this policy has been attached to my user.
The AWSCompromisedKeyQuarantineV2 policy prevents someone with access to the compromised access-key being able to do any damage, including being able to remove the policy to re-enable full access. So your IAM User with this policy can't be used to fix it up, is has to be done from another IAM Principal with appropriate permissions.