====== IAM ====== ===== how to evaluate Deny and Allow statements in one policy? ===== Here's how IAM evaluates policies containing "Deny" and "Allow" statements: **Default Deny**: By default, access to AWS resources is denied. If there are no policies attached to a user, group, or role, or if no policies explicitly grant access, AWS denies the action. **"Allow" Statements**: IAM evaluates all the "Allow" statements in the policies attached to the user, group, or role. If any "Allow" statement allows the action, the action is permitted, subject to any further restrictions from subsequent "Deny" statements. **"Deny" Statements**: IAM then evaluates all the "Deny" statements in the policies. If any "Deny" statement explicitly denies the action, the action is denied, regardless of any previous "Allow" statements. ===== how to manage single sign on SSO across accounts? ===== To SSO into accounts with limited permissions use In the "IAM Identity Center": https://console.aws.amazon.com/singlesignon/home As described here: https://aws.amazon.com/iam/identity-center/ This is how the management of the organization looks like. {{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/rzobZTpDPq.png?550x250}} I have striked through the entry URL which is used to SSO into the organization. The URL looks like https://myssoportal.awsapps.com/start where you can pick the "myssoportal" freely. === SSO from a CMD / Shell === When the setup is done \\ then trigger login from console \\ will allow you to get credentials **for the console** via SSO \\ or for the programmatic access SSO from the command line like this: $ aws sso login --profile default Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open or you wish to use a different device to authorize this request, open the following URL: https://device.sso.eu-central-1.amazonaws.com/ Then enter the code: ABCD-CPZB After the login with your global user (which you manage in your IAM identity center https://aws.amazon.com/iam/identity-center/) \\ you will be redirected to the SSO page {{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/DMWBdCy4ii.png?600x250}} From where you can approve the request: {{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/gdnlKAhViU.png?550x250}} Dont forget to log out: $ aws sso logout === SSO to AWS management console === To SSO into the AWS console - your also can navigate directly to \\ and pick one of the available role to SSO into the AWS management console. {{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/DMWBdCy4ii.png?600x250}} ==== Setting up SSO via "identity portal" ==== As in https://medium.com/@pushkarjoshi0410/how-to-set-up-aws-cli-with-aws-single-sign-on-sso-acf4dd88e056 To make the terraform work - you need a profile without "sso_session = mysso" as stated in https://www.reddit.com/r/aws/comments/zk456d/new_aws_cli_and_sso_sessions_profiles_and_legacy/ **Leave "SSO session name" empty!!** $ aws configure sso --profile default SSO session name (Recommended): WARNING: Configuring using legacy format (e.g. without an SSO session). Consider re-running "configure sso" command and providing a session name. SSO start URL [None]: https://myssoportal.awsapps.com/start SSO region [None]: eu-central-1 Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open or you wish to use a different device to authorize this request, open the following URL: https://device.sso.us-east-1.amazonaws.com/ Then enter the code: XXXX-XXXX