Home > Net >  Deleted main identity-based policy. How it can be recovered?
Deleted main identity-based policy. How it can be recovered?

Time:12-28

By mistake the main IAM policy of an account was deleted, and now every single service|configuration on AWS console shows "You don't have permission to XXX...." Is there any way to rebuild-recover this policy? Searched all through docs without clear insights. For example on the IAM dashboard:

User: arn:aws:iam::XXXXXXXX:user/XXXXXXX
Service: iam
Action: GetAccountSummary
On resource(s): *
Context: no identity-based policy allows the iam:GetAccountSummary action

Ty everyone

CodePudding user response:

Was policy deleted for an IAM user or Root user? Getting confused with -

By mistake the main IAM policy of an account was deleted

Deleted in sense removed the policy for user? Or just deleted the policy?

If the policy for an IAM user is removed, you can request another IAM user with admin access or a root user to assign the earlier policy back

If policy is deleted, you may need to create it once again & assign it to user

CodePudding user response:

If you have any other IAM users (or roles) that have permission to create IAM policies and attach them, then log in using one of those. If not, you will need to log in using root credentials (you generally should not login as root, but this is one of those rare cases where you will need to).

Then what you need to do is for user user/XXXXXXX, you will associate a policy with that user that allows it access to everything you need in the console.

  1. From the example you gave, you need a console user that has access to IAM (and specifically iam:GetAccountSummary). Therefore you should look in the IAM policies and see if you have one called AdministratorAccess
  2. If you have it (if that link worked) then skip to step 3. If not, you will need to create this policy. Create a new policy named AdministratorAccess and then use this JSON as the Permissions for the policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
  1. Now associate the policy with your IAM User. Go to IAM Users and click on user/XXXXXXX.

    1. The click Add permissions
    2. Attach existing policies directly
    3. check the box next to AdministratorAccess
    4. Next: Review
    5. Add permissions
  2. Log out. Then log back in as user/XXXXXXX

NOTE: In general, you do not want to use a user with AdministratorAccess for most tasks. Consider creating another user with more limited access for everyday use

  • Related