Amazon Managed Service for Grafana (AMG)

Asis Sethi — Fri, 29 Jan 2021 03:09:35 +0000

Amazon Managed Service Grafana is available for Preview as of Jan 2021 in Europe (Ireland)eu-west-1 and US East (N. Virginia)us-east-1
Give a unique name to your workspace.
And yes AWS Sign-On (SSO) is MANDATORY! Come SIGN up for it OR GET LOST!
Integration with Amazon Managed Service for Prometheus, Amazon TimeStream is 1 click away not just for CURRENT ACCOUNT but for Your Entire Organization. https://grafana.com/grafana/plugins/grafana-timestream-datasource
Create your Grafana workspace hassle-free.
Grafana 7.3.5 Workspace URL is all READY.
Assign Users + Assign User Groups BONUS BONUS BONUS …..
LOGIN via AWS SSO

Error: AmazonS3Exception “Access Denied with Status Code: 403” in Amazon Athena when I query a bucket in another account

Asis Sethi — Sat, 16 Jan 2021 01:15:59 +0000

Assumptions:

Account A (S3 Bucket )
Account B (Athena query)

Let's start with Account A:

Locate the S3 Bucket Object Permissions Tab
Either edit ACL of the S3 Bucket Object or add a Bucket policy
Under ACL add External AWS Account Canonical ID
Edit Bucket policy by Using Policy Generator [https://awspolicygen.s3.amazonaws.com/policygen.html]

{
 “Version”: “2012–10–17”,
 “Id”: “Policy1604525342797”,
 “Statement”: [
 {
 “Sid”: “Cross-Account-Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: [
 “arn:aws:iam::xaccountbxx:root”,
 “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 ]
 },
 “Action”: “s3:*”,
 “Resource”: “arn:aws:s3:::analytics-cross-account-s3access”
 },
 {
 “Sid”: “Cross-Account-Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: [
 “arn:aws:iam::xaccountbxx:root”,
 “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 ]
 },
 “Action”: “s3:GetObject”,
 “Resource”: “arn:aws:s3:::analytics-cross-account-s3access/*”
 }
 ]
}

If KMS is Enabled on S3 Bucket, Add Key policy to Customer managed key

{
 “Version”: “2012–10–17”,
 “Id”: “key-default-1”,
 “Statement”: [
 {
 “Sid”: “Enable IAM User Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::xaccountaxx:root”
 },
 “Action”: “kms:*”,
 “Resource”: “*”
 },
 {
 “Sid”: “Allow use of the key”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 },
 “Action”: [
 “kms:Encrypt”,
 “kms:Decrypt”,
 “kms:ReEncrypt*”,
 “kms:GenerateDataKey*”,
 “kms:DescribeKey”
 ],
 “Resource”: “*”
 }
 ]
}

Let’s start with Account B:

Attach below Policy to IAM User in Account B

{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Sid”: “VisualEditor0”,
 “Effect”: “Allow”,
 “Action”: [
 “s3:GetAccessPoint”,
 “s3:PutAccountPublicAccessBlock”,
 “s3:GetAccountPublicAccessBlock”,
 “s3:ListAllMyBuckets”,
 “s3:ListAccessPoints”,
 “s3:ListJobs”,
 “s3:CreateJob”
 ],
 “Resource”: “*”
 },
 {
 “Sid”: “VisualEditor1”,
 “Effect”: “Allow”,
 “Action”: “s3:*”,
 “Resource”: [
 “arn:aws:s3:::analytics-cross-account-s3access”,
 “arn:aws:s3:::analytics-cross-account-s3access/*”
 ]
 }
 ]
}

2.If KMS is enabled attach another inline policy

{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Sid”: “VisualEditor0”,
 “Effect”: “Allow”,
 “Action”: [
 “kms:DescribeCustomKeyStores”,
 “kms:ListKeys”,
 “kms:DeleteCustomKeyStore”,
 “kms:GenerateRandom”,
 “kms:UpdateCustomKeyStore”,
 “kms:ListAliases”,
 “kms:DisconnectCustomKeyStore”,
 “kms:CreateKey”,
 “kms:ConnectCustomKeyStore”,
 “kms:CreateCustomKeyStore”
 ],
 “Resource”: “*”
 },
 {
 “Sid”: “VisualEditor1”,
 “Effect”: “Allow”,
 “Action”: “kms:*”,
 “Resource”: “arn:aws:kms:ca-central-1:xaccountbxx:key/4bb–452e-8885”
 }
 ]
}

DEV Community: Asis Sethi

Amazon Managed Service for Grafana (AMG)

Error: AmazonS3Exception “Access Denied with Status Code: 403” in Amazon Athena when I query a bucket in another account

Online tools for drawing AWS Architecture Diagrams