Resource based policy

Imagine you have two AWS accounts, account A & account B. There are AWS resources in the account B which you want to share with account A. Let's say an S3 bucket for example.

This can be achieved as follows:

1. Create an IAM role in account B which can access that S3 bucket. Let the users from account A assume that role in account B and eventually access the S3 bucket in account B. The role acts as a proxy here. One of the disadvantages of this case is the user context is changed from account A's user to account B's role. That means when the context is changed to account B's role the user will not be able to access resources in account A anymore. This is a user based policy.

2. There are some resources in AWS you can attach the resource based policies to. You can mention the list of AWS accounts which can access this resource in this policy. The user will be able to access that S3 bucket in account B. At the same time, the user will also be accesing the resources in account A.

AWS - Error - An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired

Error: An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired. Reason: It occurred when I ran a MAKE command with a profile having expired token (security credentials) Fix: Generate new security credentials (aws sts assume-role) and run the command again

AWS CloudTrail

AWS CloudTrail is an API monitoring service. It records activities in your account. We can log those activities in S3 bucket It gives visibility to user activities e.g., if you want to know who created an EC2 instance, you can get the answer using CloudTrail Using CloudTrail, you can track changes to AWS resources in your accounts

Ayyappu MK

Search This Blog