In our AWS accounts we use an Identity Provider to log in (console, cli) with IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html). We have federated IAM Roles like Developer, ReadOnly, FullAdmin. I mention that it is only human operators (not other AWS services) that use these roles.
From the IAM Role Trusted Entities:

In our AWS accounts we use an Identity Provider to log in (console, cli) with IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html). We have federated IAM Roles like Developer, ReadOnly, FullAdmin. I mention that it is only human operators (not other AWS services) that use these roles.
From the IAM Role Trusted Entities:

There is an IAM policy for a role granting access to a bucket. I would like the DENY part of the bucket policy to override that access. I am trying to craft an S3 bucket policy to deny all actions except one (S3:GetBucketLocation) in the IAM resource policy, with a condition on the principal ARN. I can’t seem to get it to work (either GetBucketLocation is denied or other actions are allowed). Is there a standard pattern for this?

I added the following inline policy to IAM user. The Role should only see lambdas tagged with environment:development. but this gives error.

I am somewhat of an AWS/IAM noob, and I need to require all my users to use MFA in AWS AIM, but I am unable to find the setting to require that. If I follow a lot of the instructions I’m finding, it only walks me through setting it up on my own phone, not allowing my users to set it up. I did find these instructions, but when I go to my IAM Identity Center Console, there is no left nav with a Settings option, and I can’t find this Configure multi-factor authentication page.

I want to create a policy to SRE so that SRE can create/delete the roles that the name are trail*, ando also the role is only trusted by cloudtrail.

Is Trust Relationship required for both Passrole and AssumeRole to work?

I’m trying to configure permissions to a specific group inside my IAM Identity Center through here…

I have been using an AWS account for more than 6 months now and it was created by my Manager for project purposes. At first, it was made for testing purposes but it is now handled by 3-5 people in my team. The account’s username is my name, which I need to change to my team name or the project name. But I can’t find an option for that in the Users dashboard.

I’m implementing IAM authentication for Amazon RDS instances (not Aurora) and managing IAM users through the IAM Identity Center. I have individual database user accounts corresponding to each IAM user, and I want to attach IAM policies dynamically based on the IAM user’s username (email address).