Skip to main content

AWS - IAM

Amazon Web Services Identity and Access Management (IAM)

For detailed instructions about setting up authentication, see: AWS Integrations - Authentication.

Configure AWS - IAM on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for AWS - IAM.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    roleArnRole ArnFalse
    roleSessionNameRole Session NameFalse
    defaultRegionAWS Default RegionFalse
    sessionDurationRole Session DurationFalse
    access_keyAccess KeyFalse
    secret_keySecret KeyFalse
    timeoutThe time in seconds till a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified, a default of 10 second will be used.False
    retriesThe maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time.False
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-iam-create-user#


Creates a new IAM user for your AWS account.

Base Command#

aws-iam-create-user

Input#

Argument NameDescriptionRequired
userNameThe name of the user to create.Required
pathThe path for the user name. This parameter is optional. If it is not included, it defaults to a slash (/).Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Users.UserNamestringThe friendly name identifying the user.
AWS.IAM.Users.UserIdstringThe stable and unique string identifying the user.
AWS.IAM.Users.ArnstringThe Amazon Resource Name (ARN) that identifies the user.
AWS.IAM.Users.CreateDatedateThe date and time, when the user was created.
AWS.IAM.Users.PathstringThe path to the user.

Command Example#

!aws-iam-create-user userName=Test path=/testusers/

aws-iam-get-user#


Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.

Base Command#

aws-iam-get-user

Input#

Argument NameDescriptionRequired
userNameThe name of the user to get information about.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Users.UserNamestringThe friendly name identifying the user.
AWS.IAM.Users.UserIdstringThe stable and unique string identifying the user.
AWS.IAM.Users.ArnstringThe Amazon Resource Name (ARN) that identifies the user.
AWS.IAM.Users.CreateDatedateThe date and time when the user was created.
AWS.IAM.Users.PathstringThe path to the user.
AWS.IAM.Users.PasswordLastUseddateThe date and time, when the user's password was last used to sign in to an AWS website.

Command Example#

!aws-iam-get-user userName=test

aws-iam-list-users#


Lists the IAM users, returns all users in the AWS account.

Base Command#

aws-iam-list-users

Input#

Argument NameDescriptionRequired
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Users.UserNamestringThe friendly name identifying the user.
AWS.IAM.Users.UserIdstringThe stable and unique string identifying the user.
AWS.IAM.Users.ArnstringThe Amazon Resource Name (ARN) that identifies the user.
AWS.IAM.Users.CreateDatedateThe date and time when the user was created.
AWS.IAM.Users.PathstringThe path to the user.

Command Example#

!aws-iam-list-users

aws-iam-update-user#


Updates the name and/or the path of the specified IAM user.

Base Command#

aws-iam-update-user

Input#

Argument NameDescriptionRequired
oldUserNameName of the user to update.Required
newUserNameNew name for the user. Include this parameter only if you're changing the user's name.Optional
newPathNew path for the IAM user. Include this parameter only if you're changing the user's path.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-update-user oldUserName=test newUserName=NewUserName34 newPath=/iamtest/

aws-iam-delete-user#


Deletes the specified IAM user. The user must not belong to any groups or have any access keys, signing certificates, or attached policies.

Base Command#

aws-iam-delete-user

Input#

Argument NameDescriptionRequired
userNameThe name of the user to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-delete-user userName=userName34

aws-iam-update-login-profile#


Changes the password for the specified IAM user.

Base Command#

aws-iam-update-login-profile

Input#

Argument NameDescriptionRequired
userNameThe name of the user whose password you want to update.Required
newPasswordThe new password for the specified IAM user.Required
passwordResetRequiredAllows this new password to be used only once by requiring the specified IAM user to set a new password on next sign-in. Possible values are: True, False.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-update-login-profile userName=userName34 newPassword=ArdVaEC@1#$F%g% passwordResetRequired=True raw-response=true

aws-iam-create-group#


Creates a new iam group.

Base Command#

aws-iam-create-group

Input#

Argument NameDescriptionRequired
groupNameThe name of the group to create. Do not include the path in this value.Optional
pathThe path to the group.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Groups.GroupNamestringThe friendly name that identifies the group.
AWS.IAM.Groups.GroupIdstringThe stable and unique string identifying the group.
AWS.IAM.Groups.ArnstringThe Amazon Resource Name (ARN) specifying the group.
AWS.IAM.Groups.CreateDatedateThe date and time when the group was created.
AWS.IAM.Groups.PathstringThe path to the group.

Command Example#

!aws-iam-create-group groupName=test path=/testgroups/

aws-iam-list-groups#


Lists all the IAM groups in the AWS account

Base Command#

aws-iam-list-groups

Input#

Argument NameDescriptionRequired
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Groups.GroupNamestringThe friendly name that identifies the group.
AWS.IAM.Groups.GroupIdstringThe stable and unique string identifying the group.
AWS.IAM.Groups.ArnstringThe Amazon Resource Name (ARN) specifying the group.
AWS.IAM.Groups.CreateDatedateThe date and time when the group was created.
AWS.IAM.Groups.PathstringThe path to the group.

Command Example#

!aws-iam-list-groups

aws-iam-list-groups-for-user#


Lists the IAM groups that the specified IAM user belongs to.

Base Command#

aws-iam-list-groups-for-user

Input#

Argument NameDescriptionRequired
userNameThe name of the user to list groups for.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Users.Groups.GroupNamestringThe friendly name that identifies the group.
AWS.IAM.Users.Groups.GroupIdstringThe stable and unique string identifying the group
AWS.IAM.Users.Groups.ArnstringThe Amazon Resource Name (ARN) specifying the group.
AWS.IAM.Users.Groups.CreateDatedateThe date and time when the group was created.
AWS.IAM.Users.Groups.PathstringThe path to the group.

Command Example#

aws-iam-list-groups-for-user userName=test

aws-iam-add-user-to-group#


Adds the specified user to the specified group.

Base Command#

aws-iam-add-user-to-group

Input#

Argument NameDescriptionRequired
userNameThe name of the user to add.Required
groupNameThe name of the group to update.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-add-user-to-group userName=userName34 groupName=test

aws-iam-create-access-key#


Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active .

Base Command#

aws-iam-create-access-key

Input#

Argument NameDescriptionRequired
userNameThe name of the IAM user that the new key will belong to.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Users.AccessKeys.AccessKeyIdstringThe ID for this access key.
AWS.IAM.Users.AccessKeys.SecretAccessKeystringThe secret key used to sign requests.
AWS.IAM.Users.AccessKeys.StatusstringThe status of the access key. Active means that the key is valid for API calls, while Inactive means it is not.
AWS.IAM.Users.AccessKeys.CreateDatedateThe date when the access key was created.

Command Example#

!aws-iam-create-access-key userName=userName34

aws-iam-update-access-key#


Changes the status of the specified access key from Active to Inactive, or vice versa. This operation can be used to disable a user's key as part of a key rotation workflow.

Base Command#

aws-iam-update-access-key

Input#

Argument NameDescriptionRequired
userNameThe name of the user whose key you want to update.Required
accessKeyIdThe access key ID of the secret access key you want to update.Required
statusThe status you want to assign to the secret access key. Active means that the key can be used for API calls to AWS, while Inactive means that the key cannot be used. Possible values are: Active, Inactive.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-update-access-key userName=test accessKeyId=AKIAJSFAUQ7EDFPN7Y2D2A status=Inactive

aws-iam-list-access-keys-for-user#


Returns information about the access key IDs associated with the specified IAM user.

Base Command#

aws-iam-list-access-keys-for-user

Input#

Argument NameDescriptionRequired
userNameThe name of the user.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Users.AccessKeys.AccessKeyIdstringThe ID for this access key.
AWS.IAM.Users.AccessKeys.StatusstringThe status of the access key. Active means the key is valid for API calls; Inactive means it is not.
AWS.IAM.Users.AccessKeys.CreateDatedateThe date when the access key was created.
AWS.IAM.Users.AccessKeys.UserNamestringThe name of the IAM user that the key is associated with.

Command Example#

!aws-iam-list-access-keys-for-user userName=userName34

aws-iam-list-policies#


Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies.

Base Command#

aws-iam-list-policies

Input#

Argument NameDescriptionRequired
scopeThe scope to use for filtering the results. To list only AWS managed policies, set Scope to AWS. To list only the customer managed policies in your AWS account, set Scope to Local. Possible values are: All, AWS, Local. Default is All.Optional
onlyAttachedA flag to filter the results to only the attached policies. When OnlyAttached is true , the returned list contains only the policies that are attached to an IAM user, group, or role. When OnlyAttached is false , or when the parameter is not included, all policies are returned. Possible values are: True, False. Default is False.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Policies.PolicyNamestringThe friendly name (not ARN) identifying the policy.
AWS.IAM.Policies.PolicyIdstringThe stable and unique string identifying the policy.
AWS.IAM.Policies.ArnstringThe Amazon Resource Name (ARN).
AWS.IAM.Policies.PathstringThe path to the policy.
AWS.IAM.Policies.DefaultVersionIdstringThe identifier for the version of the policy that is set as the default version.
AWS.IAM.Policies.IsAttachablestringSpecifies whether the policy can be attached to an IAM user, group, or role.
AWS.IAM.Policies.CreateDatedatewhen the policy was created.
AWS.IAM.Policies.UpdateDatedatewhen the policy was last updated.
AWS.IAM.Policies.AttachmentCountnumberThe number of entities (users, groups, and roles) that the policy is attached to.

Command Example#

!aws-iam-list-policies scope=AWS onlyAttached=True

aws-iam-list-roles#


Lists all IAM roles

Base Command#

aws-iam-list-roles

Input#

Argument NameDescriptionRequired
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Roles.RoleNamestringThe friendly name that identifies the role.
AWS.IAM.Roles.RoleIdstringThe stable and unique string identifying the role.
AWS.IAM.Roles.ArnstringThe Amazon Resource Name (ARN) specifying the role.
AWS.IAM.Roles.CreateDatedateThe date and time when the role was created.
AWS.IAM.Roles.PathstringThe path to the role.
AWS.IAM.Roles.AssumeRolePolicyDocumentstringThe policy that grants an entity permission to assume the role.
AWS.IAM.Roles.DescriptionstringA description of the role that you provide.
AWS.IAM.Roles.MaxSessionDurationnumberThe maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter.

Command Example#

!aws-iam-list-roles

aws-iam-attach-policy#


Attaches the specified managed policy to the specified IAM Entity.

Base Command#

aws-iam-attach-policy

Input#

Argument NameDescriptionRequired
typeThe Type of IAM Entity. Possible values are: User, Group, Role.Required
entityNameThe name (friendly name, not ARN) of the IAM Entity to attach the policy to.Optional
policyArnThe Amazon Resource Name (ARN) of the IAM policy you want to attach.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-attach-policy type=User entityName=userName34 policyArn=arn:aws:iam::aws:policy/AmazonSQSFullAccess

aws-iam-detach-policy#


Removes the specified managed policy from the specified IAM Entity.

Base Command#

aws-iam-detach-policy

Input#

Argument NameDescriptionRequired
typeIAM Entity Type. Possible values are: User, Group, Role.Required
entityNameThe name (friendly name, not ARN) of the IAM Entity to detach the policy from.Optional
policyArnThe Amazon Resource Name (ARN) of the IAM policy you want to detach.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-detach-policy type=User entityName=userName34 policyArn=arn:aws:iam::aws:policy/AmazonSQSFullAccess

aws-iam-delete-login-profile#


Deletes the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.

Base Command#

aws-iam-delete-login-profile

Input#

Argument NameDescriptionRequired
userNameThe name of the user whose password you want to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-delete-login-profile userName=userName34

aws-iam-delete-group#


Deletes the specified IAM group. The group must not contain any users or have any attached policies.

Base Command#

aws-iam-delete-group

Input#

Argument NameDescriptionRequired
groupNameThe name of the IAM group to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-delete-group groupName=Group123

aws-iam-remove-user-from-group#


Removes the specified user from the specified group.

Base Command#

aws-iam-remove-user-from-group

Input#

Argument NameDescriptionRequired
userNameThe name of the user to remove.Required
groupNameThe name of the group to update.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-remove-user-from-group userName=userName34 groupName=Group123

aws-iam-create-login-profile#


Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console.

Base Command#

aws-iam-create-login-profile

Input#

Argument NameDescriptionRequired
userNameThe name of the IAM user to create a password for. The user must already exist.Required
passwordThe new password for the user.Required
passwordResetRequiredSpecifies whether the user is required to set a new password on next sign-in. Possible values are: True, False.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-create-login-profile userName=userName34 password=Avd#sdf$12VB6*cvg passwordResetRequired=True

aws-iam-delete-access-key#


Deletes the access key pair associated with the specified IAM user.

Base Command#

aws-iam-delete-access-key

Input#

Argument NameDescriptionRequired
userNamehe name of the user whose access key pair you want to delete.Required
AccessKeyIdThe access key ID for the access key ID and secret access key you want to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-delete-access-key userName=userName34 AccessKeyId=ABCDEFGGHDJQ7E7X5PADN7Y2D2A

aws-iam-create-instance-profile#


Creates a new instance profile.

Base Command#

aws-iam-create-instance-profile

Input#

Argument NameDescriptionRequired
instanceProfileNameThe name of the instance profile to create.Required
pathThe path to the instance profile.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.InstanceProfiles.PathstringThe path to the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileNamestringThe name identifying the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileIdstringThe stable and unique string identifying the instance profile.
AWS.IAM.InstanceProfiles.ArnstringThe Amazon Resource Name (ARN) specifying the instance profile.
AWS.IAM.InstanceProfiles.CreateDatedateThe date when the instance profile was created.

Command Example#

!aws-iam-create-instance-profile instanceProfileName=testprofile path=/test/

aws-iam-delete-instance-profile#


Deletes the specified instance profile. The instance profile must not have an associated role.

Base Command#

aws-iam-delete-instance-profile

Input#

Argument NameDescriptionRequired
instanceProfileNameThe name of the instance profile to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-delete-instance-profile instanceProfileName=testprofile

aws-iam-list-instance-profiles#


Lists all the instance profiles tin your AWS account.

Base Command#

aws-iam-list-instance-profiles

Input#

Argument NameDescriptionRequired
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.InstanceProfiles.PathstringThe path to the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileNamestringThe name identifying the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileIdstringThe stable and unique string identifying the instance profile.
AWS.IAM.InstanceProfiles.ArnstringThe Amazon Resource Name (ARN) specifying the instance profile.
AWS.IAM.InstanceProfiles.CreateDatedateThe date when the instance profile was created.
AWS.IAM.InstanceProfiles.Roles.PathstringThe path to the role.
AWS.IAM.InstanceProfiles.Roles.RoleNamestringThe friendly name that identifies the role.
AWS.IAM.InstanceProfiles.Roles.RoleIdstringThe stable and unique string identifying the role.
AWS.IAM.InstanceProfiles.Roles.ArnstringThe Amazon Resource Name (ARN) specifying the role.
AWS.IAM.InstanceProfiles.Roles.CreateDatedateThe date and time, when the role was created.
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocumentstringThe policy that grants an entity permission to assume the role.
AWS.IAM.InstanceProfiles.Roles.DescriptionstringA description of the role that you provide.
AWS.IAM.InstanceProfiles.Roles.MaxSessionDurationnumberThe maximum session duration (in seconds) for the specified role.

Command Example#

!aws-iam-list-instance-profiles

aws-iam-add-role-to-instance-profile#


Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this limit cannot be increased. You can remove the existing role and then add a different role to an instance profile.

Base Command#

aws-iam-add-role-to-instance-profile

Input#

Argument NameDescriptionRequired
instanceProfileNameThe name of the instance profile to update.Required
roleNameThe name of the role to add.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.InstanceProfiles.PathstringThe path to the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileNamestringThe name identifying the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileIdstringThe stable and unique string identifying the instance profile.
AWS.IAM.InstanceProfiles.ArnstringThe Amazon Resource Name (ARN) specifying the instance profile.
AWS.IAM.InstanceProfiles.CreateDatedateThe date when the instance profile was created.
AWS.IAM.InstanceProfiles.Roles.PathstringThe path to the role.
AWS.IAM.InstanceProfiles.Roles.RoleNamestringThe friendly name that identifies the role.
AWS.IAM.InstanceProfiles.Roles.RoleIdstringThe stable and unique string identifying the role.
AWS.IAM.InstanceProfiles.Roles.ArnstringThe Amazon Resource Name (ARN) specifying the role.
AWS.IAM.InstanceProfiles.Roles.CreateDatedateThe date and time, when the role was created.
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocumentstringThe policy that grants an entity permission to assume the role.
AWS.IAM.InstanceProfiles.Roles.DescriptionstringA description of the role that you provide.
AWS.IAM.InstanceProfiles.Roles.MaxSessionDurationnumberThe maximum session duration (in seconds) for the specified role.

Command Example#

!aws-iam-add-role-to-instance-profile instanceProfileName=testprofile roleName=EC2ReadOnly

aws-iam-remove-role-from-instance-profile#


Removes the specified IAM role from the specified EC2 instance profile.

Base Command#

aws-iam-remove-role-from-instance-profile

Input#

Argument NameDescriptionRequired
instanceProfileNameThe name of the instance profile to update.Required
roleNameThe name of the role to remove.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.InstanceProfiles.PathstringThe path to the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileNamestringThe name identifying the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileIdstringThe stable and unique string identifying the instance profile.
AWS.IAM.InstanceProfiles.ArnstringThe Amazon Resource Name (ARN) specifying the instance profile.
AWS.IAM.InstanceProfiles.CreateDatedateThe date when the instance profile was created.
AWS.IAM.InstanceProfiles.Roles.PathstringThe path to the role.
AWS.IAM.InstanceProfiles.Roles.RoleNamestringThe friendly name that identifies the role.
AWS.IAM.InstanceProfiles.Roles.RoleIdstringThe stable and unique string identifying the role.
AWS.IAM.InstanceProfiles.Roles.ArnstringThe Amazon Resource Name (ARN) specifying the role.
AWS.IAM.InstanceProfiles.Roles.CreateDatedateThe date and time, when the role was created.
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocumentstringThe policy that grants an entity permission to assume the role.
AWS.IAM.InstanceProfiles.Roles.DescriptionstringA description of the role that you provide.
AWS.IAM.InstanceProfiles.Roles.MaxSessionDurationnumberThe maximum session duration (in seconds) for the specified role.

Command Example#

!aws-iam-remove-role-from-instance-profile instanceProfileName=testprofile roleName=EC2ReadOnly

aws-iam-list-instance-profiles-for-role#


Lists the instance profiles that have the specified associated IAM role.

Base Command#

aws-iam-list-instance-profiles-for-role

Input#

Argument NameDescriptionRequired
roleNameThe name of the role to list instance profiles for.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.InstanceProfiles.PathstringThe path to the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileNamestringThe name identifying the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileIdstringThe stable and unique string identifying the instance profile.
AWS.IAM.InstanceProfiles.ArnstringThe Amazon Resource Name (ARN) specifying the instance profile.
AWS.IAM.InstanceProfiles.CreateDatedateThe date when the instance profile was created.
AWS.IAM.InstanceProfiles.Roles.PathstringThe path to the role.
AWS.IAM.InstanceProfiles.Roles.RoleNamestringThe friendly name that identifies the role.
AWS.IAM.InstanceProfiles.Roles.RoleIdstringThe stable and unique string identifying the role.
AWS.IAM.InstanceProfiles.Roles.ArnstringThe Amazon Resource Name (ARN) specifying the role.
AWS.IAM.InstanceProfiles.Roles.CreateDatedateThe date and time, when the role was created.
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocumentstringThe policy that grants an entity permission to assume the role.
AWS.IAM.InstanceProfiles.Roles.DescriptionstringA description of the role that you provide.
AWS.IAM.InstanceProfiles.Roles.MaxSessionDurationnumberThe maximum session duration (in seconds) for the specified role.

Command Example#

!aws-iam-list-instance-profiles-for-role roleName=EC2ReadOnly

aws-iam-get-instance-profile#


Retrieves information about the specified instance profile.

Base Command#

aws-iam-get-instance-profile

Input#

Argument NameDescriptionRequired
instanceProfileNameThe name of the instance profile to get information about.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.InstanceProfiles.PathstringThe path to the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileNamestringThe name identifying the instance profile.
AWS.IAM.InstanceProfiles.InstanceProfileIdstringThe stable and unique string identifying the instance profile.
AWS.IAM.InstanceProfiles.ArnstringThe Amazon Resource Name (ARN) specifying the instance profile.
AWS.IAM.InstanceProfiles.CreateDatedateThe date when the instance profile was created.
AWS.IAM.InstanceProfiles.Roles.PathstringThe path to the role.
AWS.IAM.InstanceProfiles.Roles.RoleNamestringThe friendly name that identifies the role.
AWS.IAM.InstanceProfiles.Roles.RoleIdstringThe stable and unique string identifying the role.
AWS.IAM.InstanceProfiles.Roles.ArnstringThe Amazon Resource Name (ARN) specifying the role.
AWS.IAM.InstanceProfiles.Roles.CreateDatedateThe date and time, when the role was created.
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocumentstringThe policy that grants an entity permission to assume the role.
AWS.IAM.InstanceProfiles.Roles.DescriptionstringA description of the role that you provide.
AWS.IAM.InstanceProfiles.Roles. MaxSessionDurationnumberThe maximum session duration (in seconds) for the specified role.

Command Example#

!aws-iam-get-instance-profile instanceProfileName=testprofile

aws-iam-get-role#


Retrieves information about the specified role.

Base Command#

aws-iam-get-role

Input#

Argument NameDescriptionRequired
roleNameThe name of the IAM role to get information about.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Roles.PathstringThe path to the role.
AWS.IAM.Roles.RoleNamestringThe friendly name that identifies the role.
AWS.IAM.Roles.RoleIdstringThe stable and unique string identifying the role.
AWS.IAM.Roles.ArnstringThe Amazon Resource Name (ARN) specifying the role.
AWS.IAM.Roles.CreateDatedateThe date and time, when the role was created.
AWS.IAM.Roles.AssumeRolePolicyDocumentstringThe policy that grants an entity permission to assume the role.
AWS.IAM.Roles.DescriptionstringA description of the role that you provide.
AWS.IAM.Roles.MaxSessionDurationnumberThe maximum session duration (in seconds) for the specified role.

Command Example#

!aws-iam-get-role roleName=ec2readonly

aws-iam-delete-role#


Deletes the specified role. The role must not have any policies attached.

Base Command#

aws-iam-delete-role

Input#

Argument NameDescriptionRequired
roleNameThe name of the role to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-delete-role roleName=test-role

aws-iam-create-role#


Creates a new role for your AWS account.

Base Command#

aws-iam-create-role

Input#

Argument NameDescriptionRequired
roleNameThe name of the role to create.Required
assumeRolePolicyDocumentThe trust relationship policy document that grants an entity permission to assume the role.Required
pathThe path to the role.Optional
descriptionA description of the role.Optional
maxSessionDurationThe maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Roles.RoleNamestringThe friendly name that identifies the role.
AWS.IAM.Roles.RoleIdstringThe stable and unique string identifying the role.
AWS.IAM.Roles.ArnstringThe Amazon Resource Name (ARN) specifying the role.
AWS.IAM.Roles.CreateDatedateThe date and time, when the role was created.
AWS.IAM.Roles.PathstringThe path to the role.
AWS.IAM.Roles.AssumeRolePolicyDocumentstringhe policy that grants an entity permission to assume the role.
AWS.IAM.Roles.DescriptionstringA description of the role that you provide.
AWS.IAM.Roles.MaxSessionDurationnumberThe maximum session duration (in seconds) for the specified role.

Command Example#

!aws-iam-create-role roleName=testrole assumeRolePolicyDocument="{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}" description="a test role"

aws-iam-create-policy#


Creates a new managed policy for your AWS account. This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version.

Base Command#

aws-iam-create-policy

Input#

Argument NameDescriptionRequired
policyNameThe friendly name of the policy.Required
policyDocumentThe JSON policy document that you want to use as the content for the new policy.Required
pathThe path for the policy.Optional
descriptionA friendly description of the policy.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Policies.PolicyNamestringThe friendly name (not ARN) identifying the policy.
AWS.IAM.Policies.PolicyIdstringThe stable and unique string identifying the policy.
AWS.IAM.Policies.ArnstringThe Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.
AWS.IAM.Policies.PathstringThe path to the policy.
AWS.IAM.Policies.DefaultVersionIdstringThe identifier for the version of the policy that is set as the default version.
AWS.IAM.Policies.AttachmentCountnumberThe number of entities (users, groups, and roles) that the policy is attached to.
AWS.IAM.Policies.PermissionsBoundaryUsageCountnumberThe number of entities (users and roles) for which the policy is used to set the permissions boundary.
AWS.IAM.Policies.IsAttachablebooleanSpecifies whether the policy can be attached to an IAM user, group, or role.
AWS.IAM.Policies.DescriptionstringA friendly description of the policy.
AWS.IAM.Policies.CreateDatedateThe date and time, in ISO 8601 date-time format , when the policy was created.
AWS.IAM.Policies.UpdateDatedateThe date and time, in ISO 8601 date-time format , when the policy was last updated.

Command Example#

!aws-iam-create-policy policyName=test-policy policyDocument="{
"Version": "2012-10-17",
"Statement": \[
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "guardduty:CreateIPSet",
"Resource": "arn:aws:guardduty:_:_:detector/_"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "guardduty:CreateDetector",
"Resource": "_"
}
\]
}"

aws-iam-delete-policy#


Deletes the specified managed policy. Before you can delete a managed policy, you must first detach the policy from all users, groups, and roles that it is attached to. In addition you must delete all the policy's versions.

Base Command#

aws-iam-delete-policy

Input#

Argument NameDescriptionRequired
policyArnThe Amazon Resource Name (ARN) of the IAM policy you want to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-delete-policy policyArn=arn:aws:iam::123456789:policy/test-policy

aws-iam-create-policy-version#


Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version. Optionally, you can set the new version as the policy's default version. The default version is the version that is in effect for the IAM users, groups, and roles to which the policy is attached.

Base Command#

aws-iam-create-policy-version

Input#

Argument NameDescriptionRequired
policyArnThe Amazon Resource Name (ARN) of the IAM policy to which you want to add a new version.Required
policyDocumentThe JSON policy document that you want to use as the content for this new version of the policy.Required
setAsDefaultSpecifies whether to set this version as the policy's default version. Possible values are: True, False.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Policies.Versions.DocumentstringThe policy document.
AWS.IAM.Policies.Versions.VersionIdstringThe identifier for the policy version.
AWS.IAM.Policies.Versions.IsDefaultVersionstringThe identifier for the policy version.
AWS.IAM.Policies.Versions.CreateDatestringThe date and time, in ISO 8601 date-time format , when the policy version was created.

Command Example#

!aws-iam-create-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy policyDocument="{
"Version": "2012-10-17",
"Statement": \[
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "guardduty:CreateIPSet",
"Resource": "arn:aws:guardduty:_:_:detector/_"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "guardduty:CreateDetector",
"Resource": "_"
}
\]
}" setAsDefault=True

aws-iam-delete-policy-version#


Deletes the specified version from the specified managed policy. You cannot delete the default version from a policy using this API. To delete the default version from a policy, use DeletePolicy . To find out which version of a policy is marked as the default version, use ListPolicyVersions .

Base Command#

aws-iam-delete-policy-version

Input#

Argument NameDescriptionRequired
policyArnThe Amazon Resource Name (ARN) of the IAM policy from which you want to delete a version.Required
versionIdThe policy version to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-delete-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy versionId=v1

aws-iam-list-policy-versions#


Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version.

Base Command#

aws-iam-list-policy-versions

Input#

Argument NameDescriptionRequired
policyArnThe Amazon Resource Name (ARN) of the IAM policy for which you want the versions.Required

Context Output#

PathTypeDescription
AWS.IAM.Policies.Versions.DocumentstringThe policy document.
AWS.IAM.Policies.Versions.VersionIdstringThe identifier for the policy version.
AWS.IAM.Policies.Versions.IsDefaultVersionbooleanSpecifies whether the policy version is set as the policy's default version.
AWS.IAM.Policies.Versions.CreateDatedateThe date and time, in ISO 8601 date-time format , when the policy version was created.

Command Example#

!aws-iam-list-policy-versions policyArn=arn:aws:iam::123456789:policy/test-policy

aws-iam-get-policy-version#


Retrieves information about the specified version of the specified managed policy, including the policy document.

Base Command#

aws-iam-get-policy-version

Input#

Argument NameDescriptionRequired
policyArnThe Amazon Resource Name (ARN) of the managed policy that you want information about.Required
versionIdIdentifies the policy version to retrieve.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.IAM.Policies.Versions.DocumentunknownThe policy document.
AWS.IAM.Policies.Versions.VersionIdunknownThe identifier for the policy version.
AWS.IAM.Policies.Versions.IsDefaultVersionunknownSpecifies whether the policy version is set as the policy's default version.
AWS.IAM.Policies.Versions.CreateDateunknownThe date and time, in ISO 8601 date-time format , when the policy version was created.

Command Example#

!aws-iam-get-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy versionId=v3

aws-iam-set-default-policy-version#


Sets the specified version of the specified policy as the policy's default (operative) version. This operation affects all users, groups, and roles that the policy is attached to.

Base Command#

aws-iam-set-default-policy-version

Input#

Argument NameDescriptionRequired
policyArnThe Amazon Resource Name (ARN) of the IAM policy whose default version you want to set.Required
versionIdThe version of the policy to set as the default (operative) version.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-set-default-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy versionId=v2

aws-iam-create-account-alias#


Creates an alias for your AWS account.

Base Command#

aws-iam-create-account-alias

Input#

Argument NameDescriptionRequired
accountAliasThe account alias to create.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-create-account-alias accountAlias=test-alias

aws-iam-delete-account-alias#


Deletes the specified AWS account alias.

Base Command#

aws-iam-delete-account-alias

Input#

Argument NameDescriptionRequired
accountAliasThe name of the account alias to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-iam-delete-account-alias accountAlias=demisto-test-alias

aws-iam-get-account-password-policy#


Get AWS account's password policy

Base Command#

aws-iam-get-account-password-policy

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
AWS.IAM.PasswordPolicyUnknownAccount's password policy.

aws-iam-update-account-password-policy#


Create/update password policy

Base Command#

aws-iam-update-account-password-policy

Input#

Argument NameDescriptionRequired
minimumPasswordLengthThe minimum number of characters allowed in an IAM user password. Possible values are: .Optional
requireSymbolsSpecifies whether IAM user passwords must contain at least one of the non-alphanumeric characters. Can be "True" or "False". Possible values are: True, False.Optional
requireNumbersSpecifies whether IAM user passwords must contain at least one numeric character (0 to 9). Can be "True" or "False". Possible values are: True, False.Optional
requireUppercaseCharactersSpecifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). Can be "True" or "False". Possible values are: True, False.Optional
requireLowercaseCharactersSpecifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z). Can be "True" or "False". Possible values are: True, False.Optional
allowUsersToChangePasswordAllows all IAM users in your account to use the AWS Management Console to change their own passwords. Can be "True" or "False". Possible values are: True, False.Optional
maxPasswordAgeThe number of days that an IAM user password is valid. Possible values are: .Optional
passwordReusePreventionSpecifies the number of previous passwords that IAM users are prevented from reusing. Possible values are: .Optional
hardExpiryPrevents IAM users from setting a new password after their password has expired. Can be "True" or "False". Possible values are: True, False.Optional

Context Output#

There is no context output for this command.