Changing permissions for an IAM user (part 1)

By Ashwin Venugopal -

 





To read part 2, please click here






View User Access

If you want to change the permissions for a user, you must review its recent service-level activity before doing anything as it will prevent you to delete access from a principal (person or application) who is still using it.

Generate a Policy based on a User's Access Activity

An IAM policy can be easily generated according to access activity of an entity to refine your granted permissions. A policy template is generated containing all the permissions used by the entity in your specified data range (based on the IAM Access Analyzer reviews on your AWS CloudTrail logs), that can be used to create a managed policy with fine-grained permissions and attach it to an IAM entity. This allows you to only permit the AWS resources that the user or role needs to interact with for a particular use case.

Adding Permissions to a User (console)

The following ways can help in adding permission policies to a user, but, if the user already has a permission boundary, then, more permissions cannot be added beyond the specified limit.

Adding permissions by adding user to a group

  1. First of all, sign-in to the AWS Management Console and open the IAM console at https:// console.aws.amazon.com/iam/.
  2. Now select Users in the navigation pane.
  3. Review the current group memberships of the users in the Group column of the console and add the column to the users table if necessary.
  4. Select the user name whose permissions you want to modify.
  5. Now you can click the Permissions tab, Add permissions, and then Add user to the group.
  6. Select all the groups that you want the user to join through a list containing each group's name and policies that will be offered to the user if they join.
  7. You can also select Create group if you want to define a new group. (optional)
  8. Now you can select Next: Review to view the list of group memberships to be added to the user and then Add permissions.
  Adding permissions by copying from another user
  1. As stated above, you have to sign-in to the AWS Management Console firstly, and then open the IAM console at https:// console.aws.amazon.com/iam/.
  2. Now select Users, user name whose permissions are to be modified, and Permissions tab in the navigation pane.
  3. Now you can Add permissions, and then Copy permissions from existing user.
  4. Select the button next to the user whose permissions you want to copy.
  5. Now you can select Next: Review to view the list of changes done to the user and then Add permissions.
Adding permissions by attaching policies directly to the user
  1. Firstly, you have to sign-in to the AWS Management Console, and then open the IAM console at https:// console.aws.amazon.com/iam/.
  2. Now select Users, user name whose permissions are to be modified, and Permissions tab in the navigation pane.
  3. Now you can Add permissions, and then Attach existing policies directly to the user.
  4. Select one or more managed policies that you want to attach to the user. A new managed policy can also be created via Create policy.
  5. Now you can select Next: Review to view the list of policies attaching to the user and then Add permissions.

Setting Permissions boundary for a user

  1. Sign-in to the AWS Management Console, and then open the IAM console at https:// console.aws.amazon.com/iam/.
  2. Now select Users in the navigation pane.
  3. Choose the user name whose permissions boundary is to be changed.
  4. Now you can select the Permissions tab and open permissions boundary section to Set boundary (if required).
  5. Select the policy that will be used for the permissions boundary.
  6. Now you can select Set boundary.






To read part 2, please click here




































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more