AWS - IAM

Use this integration to manage identity and access on the AWS platform.

We recommend that you use roles that have the following bulit-in AWS policies:

  • IAMFullAccess
  • IAMReadOnlyAccess

Prerequisites

It is important that you familiarize yourself with and complete all steps detailed in the AWS Integrations - Authentication .

Configure the AWS IAM Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for AWS - IAM.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Role Arn
    • Role Session Name
    • Role Session Duration
  4. Click Test to validate the URLs and token.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Create a user: aws-iam-create-user
  2. Get user information: aws-iam-get-user
  3. Get a list of users: aws-iam-list-users
  4. Update user information: aws-iam-update-user
  5. Delete a user: aws-iam-delete-user
  6. Update a user's password: aws-iam-login-profile
  7. Create a group: aws-iam-create-group
  8. Get a list of groups: aws-iam-list-groups
  9. List all groups a user is part of: aws-iam-list-groups-for-user
  10. Add a user to a group: aws-iam-add-user-to-group
  11. Create an access key: aws-iam-create-access-key
  12. Update an access key: aws-iam-update-access-key
  13. List all access keys for a user: aws-iam-list-access-keys-for-user
  14. List all policies: aws-iam-list-policies
  15. List all roles: aws-iam-list-roles
  16. Attach a policy to an entity: aws-iam-attach-policy
  17. Detach a policy from an entity: aws-iam-detach-policy
  18. Delete a user's password: aws-iam-delete-login-profile
  19. Delete a group: aws-iam-delete-group
  20. Remove a user from a group: aws-iam-remove-user-from-group
  21. Create a password for a user: aws-iam-create-login-profile
  22. Delete an access key: aws-iam-delete-access-key
  23. Create an instance profile: aws-iam-create-instance-profile
  24. Delete an instance profile: aws-iam-delete-instance-profile
  25. List all instance profiles: aws-iam-list-instance-profiles
  26. Add a role to an instance profile: aws-iam-add-role-to-instance-profile
  27. Remove a role from an instance profile: aws-iam-remove-role-from-instance-profile
  28. List all instance profiles for a role: aws-iam-list-instance-profiles-for-role
  29. Get instance profile information: aws-iam-get-instance-profile
  30. Get role information: aws-iam-get-role
  31. Delete a role: aws-iam-delete-role
  32. Create a role: aws-iam-create-role
  33. Create a policy: aws-iam-create-policy
  34. Delete a policy: aws-iam-delete-policy
  35. Create a new version of a policy: aws-iam-create-policy-version
  36. Delete a version of a policy: aws-iam-delete-policy-version
  37. Get information for all versions of a policy: aws-iam-list-policy-versions
  38. Get information for a policy version: aws-iam-get-policy-version
  39. Set a default (operative) policy version: aws-iam-set-default-policy-version
  40. Create an account alias: aws-iam-create-account-alias
  41. Delete an account alias: aws-iam-delete-account-alias

1. Create a user


Creates a user in the Amazon IAM system.

Command Example

!aws-iam-create-user userName=Test path=/testusers/

AWS IAM Policy Permission

Effect: Allow
Action: iam:CreateUser

Input
Parameter Description
userName Name of the user to create
path Path for the username. This parameter is optional. If it is not included in the command, it defaults to a forward slash (/).
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.Route53.RecordSetsChange.Id Request ID
AWS.Route53.RecordSetsChange.Status Current state of the request. PENDING indicates that the request has not yet been applied to all Amazon Route 53 DNS servers.
AWS.Route53.RecordSetsChange.Comment A complex type that describes change information about changes made to your hosted zone.

Raw Output
{  
   "Arn":"arn:aws:iam::123456789:user/testusers/Test2",
   "CreateDate":"2018-06-04T12:12:20",
   "Path":"/testusers/",
   "UserId":"AIDSECGFSTGLFJWJXSXMC",
   "UserName":"Test2"
}

2. Get user information


Returns information about a user in the Amazon IAM system.

Command Example

!aws-iam-get-user userName=test

AWS IAM Policy Permission

Effect: Allow
Action: iam:GetUser

Input
Parameter Description
userName Name of the user to create
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.Users.UserName Friendly name to identify the user
AWS.IAM.Users.UserId stable and unique string identifying the user
AWS.IAM.Users.Arn Amazon Resource Name (ARN) that identifies the user
AWS.IAM.Users.CreateDate Date and time when the user was created
AWS.IAM.Users.Path Path to the user
AWS.IAM.Users.PasswordLastUsed Date and time when the user's password was last used to sign in to an AWS website

Raw Output
{  
   "Arn":"arn:aws:iam::123456789:user/testusers/Test",
   "CreateDate":"2018-06-04T12:11:20",
   "Path":"/testusers/",
   "UserId":"AIDASDADJDHKMTAUTCUZRQH26",
   "UserName":"Test"
}

3. Get a list of users


Returns a list of all users in the Amazon IAM system.

Command Example

!aws-iam-list-users

AWS IAM Policy Permission

Effect: Allow
Action: iam:ListUsers

Input
Parameter Description
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.Users.UserName Friendly name to identify the user
AWS.IAM.Users.UserId Stable and unique string identifying the user
AWS.IAM.Users.Arn Amazon Resource Name (ARN) that identifies the user
AWS.IAM.Users.CreateDate Date and time when the user was created
AWS.IAM.Users.Path Path to the user

Raw Output
[  
   {  
      "Arn":"arn:aws:iam::123456789:user/testusers/Test",
      "CreateDate":"2018-06-04 12:11:20",
      "Path":"/testusers/",
      "UserId":"AIDASFDASFSAJDHKMTAUTCUZRQH26",
      "UserName":"Test"
   },
   {  
      "Arn":"arn:aws:iam::123456789:user/testusers/Test2",
      "CreateDate":"2018-06-04 12:12:20",
      "Path":"/testusers/",
      "UserId":"AIDAI3Z2WTADFADGAGLFJWJXSXMC",
      "UserName":"Test2"
   }
]

4. Update user information


Returns a list of all users in the Amazon IAM system.

Command Example

!aws-iam-update-user oldUserName=test newUserName=NewUserName34 newPath=/iamtest/

AWS IAM Policy Permission

Effect: Allow
Action: iam:UpdateUser

Input
Parameter Description
oldUserName Name of the user to update
newUserName New name for the user. Include this parameter only if you are changing the user's name.
newPath New path for the user. Include this parameter only if you are changing the user's path.
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
Changed UserName test To: NewUserName34

5. Delete a user


Deletes a user from the the Amazon IAM system.

Command Example

!aws-iam-delete-user userName=userName34

AWS IAM Policy Permission

Effect: Allow
Action: iam:DeleteUser

Input
Parameter Description
userName Name of the user to delete
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The user userName34 has been deleted

6. Update a user's password


Update the password for a user in the the Amazon IAM system.

Command Example

!aws-iam-update-login-profile userName=userName34 newPassword=ArdVaEC@1#$F%g% passwordResetRequired=True raw-response=true

AWS IAM Policy Permission

Effect: Allow
Action: iam:UpdateLoginProfile

Input
Parameter Description
userName Name of the user you want to update the password for
newPassword New password for the specified IAM user
passwordResetRequired Specifies whether the user is required to set a new password on next sign in.
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The password for user userName34 was changed.

7. Create a group


Creates a group in the Amazon IAM system.

Command Example

!aws-iam-create-group groupName=test path=/testgroups/

AWS IAM Policy Permission

Effect: Allow
Action: iam:CreateGroup

Input
Parameter Description
groupName Name of the group to create. Do not include the path in this value.
path Path to the group
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.Groups.GroupName Friendly name to identify the group
AWS.IAM.Groups.GroupId Stable and unique string identifying the group
AWS.IAM.Groups.Arn Amazon Resource Name (ARN) that specifies the group
AWS.IAM.Groups.CreateDate Date and time when the group was created
AWS.IAM.Groups.Path Path to the group

Raw Output
{  
   "Arn":"arn:aws:iam::123456789:group/testgroups/test",
   "CreateDate":"2018-06-04T13:32:34",
   "GroupId":"AGPAJH6IZW4TASFDUWDJVPQG",
   "GroupName":"test",
   "Path":"/testgroups/"
}

8. Get a list of groups


Returns a list of all groups in the Amazon IAM system.

Command Example

!aws-iam-list-groups

AWS IAM Policy Permission

Effect: Allow
Action: iam:ListGroups

Input
Parameter Description
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.Groups.GroupName Friendly name to identify the group
AWS.IAM.Groups.GroupId Stable and unique string identifying the group
AWS.IAM.Groups.Arn Amazon Resource Name (ARN) that specifies the group
AWS.IAM.Groups.CreateDate Date and time when the group was created
AWS.IAM.Groups.Path Path to the group

Raw Output
[  
   {  
      "Arn":"arn:aws:iam::123456789:group/Admins",
      "CreateDate":"2017-11-01T08:32:39",
      "GroupId":"AGPAJVFASADEZ5LCW",
      "GroupName":"Admins",
      "Path":"/"
   },
   {  
      "Arn":"arn:aws:iam::123456789:group/Developers",
      "CreateDate":"2017-11-01T08:33:22",
      "GroupId":"AGPAI2DADAD3V4XGPRNRCVZYCG",
      "GroupName":"Developers",
      "Path":"/"
   },
   {  
      "Arn":"arn:aws:iam::123456789:group/testgroups/test",
      "CreateDate":"2018-06-04T13:32:34",
      "GroupId":"AGPAJH6IZWADFASD4TDUWDJVPQG",
      "GroupName":"test",
      "Path":"/testgroups/"
   }
]

9. List all groups a user is part of


Returns a list of all groups that a specified user is part of in the Amazon IAM system.

Command Example

!aws-iam-list-groups-for-user userName=test

AWS IAM Policy Permission

Effect: Allow
Action: iam:ListGroupsForUser

Input
Parameter Description
userName Name of the user to list groups for
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.Groups.GroupName Friendly name to identify the group
AWS.IAM.Groups.GroupId Stable and unique string identifying the group
AWS.IAM.Groups.Arn Amazon Resource Name (ARN) that specifies the group
AWS.IAM.Groups.CreateDate Date and time when the group was created
AWS.IAM.Groups.Path Path to the group

Raw Output
[  
   {  
      "Arn":"arn:aws:iam::123456789:group/testgroups/test",
      "CreateDate":"2018-06-04T13:32:34",
      "GroupId":"AGPAJH6IZSAFW4TDUWDJVPQG",
      "GroupName":"test",
      "Path":"/testgroups/",
      "UserName":"test"
   }
]

10. Add a user to a group


Adds an IAM user to a group in the Amazon IAM system.

Command Example

!aws-iam-add-user-to-group userName=userName34 groupName=test

AWS IAM Policy Permission

Effect: Allow
Action: iam:AddUserToGroup

Input
Parameter Description
userName Name of the user to add to a group
groupName Name of the group to add the user to
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The user userName34 was added to the IAM group: test.

11. Create an access key


Creates an access key for an IAM user in the Amazon IAM system.

Command Example

!aws-iam-create-access-key userName=userName34

AWS IAM Policy Permission

Effect: Allow
Action: iam:CreateAccessKey

Input
Parameter Description
userName Name of the user the key is created for
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.Users.AccessKeys.AccessKeyId ID for this access key
AWS.IAM.Users.AccessKeys.SecretAccessKey Secret key used to sign requests
AWS.IAM.Users.AccessKeys.Status Status of the access key. Active means that the key is valid for API calls, Inactive means it is not valid for API calls.
AWS.IAM.Users.AccessKeys.CreateDate Access key creation date

Raw Output
{  
   "AccessKeyId":"AKIASADI6QUYJTFBVHEC5WA",
   "CreateDate":"2018-06-05T06:19:00",
   "SecretAccessKey":"Yj2WWHtipDADADDgZoU7Bvl",
   "Status":"Active",
   "UserName":"userName34"
}

12. Update an access key


Changes the status of an access key for an IAM user in the Amazon IAM system.

Command Example

!aws-iam-update-access-key userName=test accessKeyId=AKIAJSFAUQ7EDFPN7Y2D2A status=Inactive

AWS IAM Policy Permission

Effect: Allow
Action: iam:UpdateAccessKey

Input
Parameter Description
userName Name of the user you want to update the access key for
accessKeyId ID of the access key you want to update
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
Access Key with ID AKIAJUQASDAF7E7X5PY2D2A was set to status: Inactive.

13. List all access keys for a user


Lists all access keys for an IAM user in the Amazon IAM system.

Command Example

!aws-iam-list-access-keys-for-user userName=userName34

AWS IAM Policy Permission

Effect: Allow
Action: iam:ListAccessKeys

Input
Parameter Description
userName Name of the user you want to list all keys for
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.Users.AccessKeys.AccessKeyId ID for this access key
AWS.IAM.Users.AccessKeys.Status Status of the access key. Active means that the key is valid for API calls, Inactive means it is not valid for API calls.
AWS.IAM.Users.AccessKeys.CreateDate Access key creation date
AWS.IAM.Users.AccessKeys.UserName Name of the IAM user that the key is associated with

Raw Output
[  
   {  
      "AccessKeyId":"AKISFX5PN7Y2D2A",
      "CreateDate":"2018-06-05T06:19:44",
      "Status":"Inactive",
      "UserName":"userName34"
   },
   {  
      "AccessKeyId":"AKIAI6SFAQUYJTFBVHEC5WA",
      "CreateDate":"2018-06-05T06:19:00",
      "Status":"Active",
      "UserName":"userName34"
   }
]

14. List all policies


Lists all policies, either AWS managed policies or locally managed policies.

Command Example

!aws-iam-list-policies scope=AWS onlyAttached=True

AWS IAM Policy Permission

Effect: Allow
Action: iam:ListPolicies

Input
Parameter Description
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.Policies.PolicyName Friendly name identifying the policy (not the ARN)
AWS.IAM.Policies.PolicyId Stable and unique string identifying the policy
AWS.IAM.Policies.Arn Amazon Resource Name (ARN)
AWS.IAM.Policies.Path Path to the policy.
AWS.IAM.Policies.DefaultVersionId Identifier for the version of the policy that is set as the default version
AWS.IAM.Policies.IsAttachable Specifies whether the policy can be attached to an IAM user, group, or role
AWS.IAM.Policies.CreateDate Policy creation date
AWS.IAM.Policies.UpdateDate Date policy was last updated
AWS.IAM.Policies.AttachmentCount Number of entities (users, groups, and roles) that the policy is attached to

Raw Output
[  
   {  
      "Arn":"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
      "AttachmentCount":1,
      "CreateDate":"2015-02-06T18:40:15",
      "DefaultVersionId":"v4",
      "IsAttachable":true,
      "Path":"/",
      "PolicyId":"ANPAI3VAJF5ZCRZ7MCQE6",
      "PolicyName":"AmazonEC2FullAccess",
      "UpdateDate":"2018-02-08T18:11:24"
   },
   {  
      "Arn":"arn:aws:iam::aws:policy/AmazonSQSFullAccess",
      "AttachmentCount":1,
      "CreateDate":"2015-02-06T18:41:07",
      "DefaultVersionId":"v1",
      "IsAttachable":true,
      "Path":"/",
      "PolicyId":"ANPAI65L554VRJ33ECQS6",
      "PolicyName":"AmazonSQSFullAccess",
      "UpdateDate":"2015-02-06T18:41:07"
   }
]

15. List all roles


Lists all roles in the Amazon IAM system.

Command Example

!aws-iam-list-roles

AWS IAM Policy Permission

Effect: Allow
Action: iam:ListRoles

Input
Parameter Description
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.Roles.RoleName Friendly name that identifies the role
AWS.IAM.Roles.RoleId Stable and unique string identifying the role
AWS.IAM.Roles.Arn Amazon Resource Name (ARN) specifying the role
AWS.IAM.Roles.CreateDate Date and time the role was created
AWS.IAM.Roles.Path Path to the role
AWS.IAM.Roles.AssumeRolePolicyDocument Policy that grants an entity permission to assume the role
AWS.IAM.Roles.Description Description of the role that you provide
AWS.IAM.Roles.MaxSessionDuration The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter.

Raw Output
[  
   {  
      "Arn":"arn:aws:iam::123456789:role/AdminAccess",
      "CreateDate":"2018-05-11T11:27:02",
      "Path":"/",
      "RoleId":"AROAIASM66GZ3IZaDY645EFQ",
      "RoleName":"AdminAccess"
   },
   {  
      "Arn":"arn:aws:iam::123456789:role/service-role/AMI_Info",
      "CreateDate":"2018-04-22T19:14:14",
      "Path":"/service-role/",
      "RoleId":"AROAADIECFBPADNVAAS2ADKTHG4",
      "RoleName":"AMI_Info"
   }
]

16. Attach a policy to an entity


Attach a policy to an entity in the Amazon IAM system.

Command Example

!aws-iam-attach-policy type=User entityName=userName34 policyArn=arn:aws:iam::aws:policy/AmazonSQSFullAccess

AWS IAM Policy Permission

Effect: Allow
Actions: iam:AttachGroupPolicy , iam:AttachRolePolicy , iam:AttachUserPolicy

Input
Parameter Description
type IAM entity type
entityName Friendly name of the IAM entity to attach the policy to (not the ARN)
policyArn Amazon Resource Name (ARN) of the IAM policy you want to attach

Context Output

There is no context output for this command.

Raw Output
Policy was attached to User: userName34

17. Detach a policy from an entity


Detaches a policy from an IAM entity in the Amazon IAM system.

Command Example

!aws-iam-detach-policy type=User entityName=userName34 policyArn=arn:aws:iam::aws:policy/AmazonSQSFullAccess

AWS IAM Policy Permission

Effect: Allow
Actions: iam:DetachGroupPolicy , iam:DetachRolePolicy , iam:DetachUserPolicy

Input
Parameter Description
type IAM entity type
entityName Friendly name of the IAM entity to detach the policy from (not ARN)
policyArn Amazon Resource Name (ARN) of the policy to detach
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
Policy was detached from User: userName34

18. Delete a user's password


Delete the password of an IAM entity in the Amazon IAM system.

Command Example

!aws-iam-delete-login-profile userName=userName34

AWS IAM Policy Permission

Effect: Allow
Action: iam:DeleteLoginProfile

Input
Parameter Description
userName Name of the user you want to delete the password for
policyArn Amazon Resource Name (ARN) of the policy to detach
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The user userName34 login profile has been deleted.

19. Delete a group


Delete a group from the Amazon IAM system.

Command Example

!aws-iam-delete-group groupName=Group123

AWS IAM Policy Permission

Effect: Allow
Action: iam:DeleteGroup

Input
Parameter Description
groupName Name of the IAM group to delete
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The group Group123 has been deleted.

20. Remove a user from a group


Remove a user from a group in the Amazon IAM system.

Command Example

!aws-iam-remove-user-from-group userName=userName34 groupName=Group123

AWS IAM Policy Permission

Effect: Allow
Action: iam:RemoveUserFromGroup

Input
Parameter Description
userName Name of the user to remove from a group
groupName Name of the IAM group to update (remove the user from)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The user userName34 has been removed from group Group123.

21. Create a password for a user


Create a password for an IAM user in the Amazon IAM system.

Command Example

!aws-iam-create-login-profile userName=userName34 password=Avd#sdf$12VB6*cvg passwordResetRequired=True

AWS IAM Policy Permission

Effect: Allow
Action: iam:CreateLoginProfile

Input
Parameter Description
userName Name of the user to remove from a group
password New password for the IAM user
passwordResetRequired Specifies whether the user is required to set a new password on next sign in.
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
Login profile was created for user userName34.

22. Delete an access key


Create a password for an IAM user in the Amazon IAM system.

Command Example

!aws-iam-delete-access-key userName=userName34 AccessKeyId=AKIAJUAKDJQ7E7X5PADN7Y2D2A

AWS IAM Policy Permission

Effect: Allow
Action: iam:DeleteAccessKey

Input
Parameter Description
userName Name of the user to remove from a group
AccessKeyId Access key ID for the access key to delete
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The Access Key was deleted.

23. Create an instance profile


Creates an instance profile in the Amazon IAM system.

Command Example

!aws-iam-create-instance-profile instanceProfileName=testprofile path=/test/

AWS IAM Policy Permission

Effect: Allow
Action: iam:CreateInstanceProfile

Input
Parameter Description
instanceProfileName Name of the instance profile to create
path Path to the instance profile
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.InstanceProfiles.Path Path to the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileName Name identifying the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileId Stable and unique string identifying the instance profile
AWS.IAM.InstanceProfiles.Arn Amazon Resource Name (ARN) specifying the instance profile
AWS.IAM.InstanceProfiles.CreateDate Instance profile creation date

Raw Output
{  
   "Arn":"arn:aws:iam::123456789:instance-profile/test/testprofile",
   "CreateDate":"2018-06-05T07:30:15",
   "InstanceProfileId":"/test/",
   "InstanceProfileName":"testprofile",
   "Path":"/test/"
}

24. Delete an instance profile


Deletes an instance profile from the Amazon IAM system.

Command Example

!aws-iam-delete-instance-profile instanceProfileName=testprofile

AWS IAM Policy Permission

Effect: Allow
Action: iam:DeleteInstanceProfile

Input
Parameter Description
instanceProfileName Name of the instance profile to delete
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The InstanceProfile: testprofile was deleted.

25. List all instance profiles


Lists all instance profile in the Amazon IAM system.

Command Example

!aws-iam-list-instance-profiles

AWS IAM Policy Permission

Effect: Allow
Action: iam:ListInstanceProfiles

Input
Parameter Description
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.InstanceProfiles.Path Path to the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileName Name identifying the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileId Stable and unique string identifying the instance profile
AWS.IAM.InstanceProfiles.Arn Amazon Resource Name (ARN) specifying the instance profile
AWS.IAM.InstanceProfiles.CreateDate Instance profile creation date
AWS.IAM.InstanceProfiles.Roles.Path Path to the role
AWS.IAM.InstanceProfiles.Roles.RoleName Friendly name that identifies the role
AWS.IAM.InstanceProfiles.Roles.RoleId Stable and unique string identifying the role
AWS.IAM.InstanceProfiles.Roles.Arn Amazon Resource Name (ARN) specifying the role
AWS.IAM.InstanceProfiles.Roles.CreateDate Role creation date and time
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument Policy that grants an entity permission to assume the role
AWS.IAM.InstanceProfiles.Roles.Description Description of the role
AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration Maximum session duration (in seconds) for the specified role

Raw Output
[  
   {  
      "Arn":"arn:aws:iam::123456789:instance-profile/EC2ReadOnly",
      "CreateDate":"2018-05-11T11:27:55",
      "InstanceProfileId":"AIPAAFDFAJ5JLPIFSAFJC6VF6RX5Y",
      "InstanceProfileName":"EC2ReadOnly",
      "Path":"/",
      "RoleArn":"arn:aws:iam::123456789:role/EC2ReadOnly",
      "RoleId":"AR234OAIMZD2SAFWAKKUZK2QMR6",
      "RoleName":"EC2ReadOnly"
   },
   {  
      "Arn":"arn:aws:iam::123456789:instance-profile/SystemsManagerEC2Role",
      "CreateDate":"2018-05-01T14:35:28",
      "InstanceProfileId":"AIPSAFAJN4P5VISFaPFZETEOXOE",
      "InstanceProfileName":"SystemsManagerEC2Role",
      "Path":"/",
      "RoleArn":"arn:aws:iam::123456789:role/SystemsManagerEC2Role",
      "RoleId":"AROAJDLFEISFAZK5MP4DSDFYVE4",
      "RoleName":"SystemsManagerEC2Role"
   }
]

26. Add a role to an instance profile


Adds a role to an instance profile in the Amazon IAM system.

Command Example

!aws-iam-add-role-to-instance-profile instanceProfileName=testprofile roleName=EC2ReadOnly

AWS IAM Policy Permission

Effect: Allow
Action: iam:AddRoleToInstanceProfile

Input
Parameter Description
instanceProfileName Name of the instance profile to update
roleName Name of the role to add
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.InstanceProfiles.Path Path to the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileName Name identifying the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileId Stable and unique string identifying the instance profile
AWS.IAM.InstanceProfiles.Arn Amazon Resource Name (ARN) specifying the instance profile
AWS.IAM.InstanceProfiles.CreateDate Instance profile creation date
AWS.IAM.InstanceProfiles.Roles.Path Path to the role
AWS.IAM.InstanceProfiles.Roles.RoleName Friendly name that identifies the role
AWS.IAM.InstanceProfiles.Roles.RoleId Stable and unique string identifying the role
AWS.IAM.InstanceProfiles.Roles.Arn Amazon Resource Name (ARN) specifying the role
AWS.IAM.InstanceProfiles.Roles.CreateDate Role creation date and time
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument Policy that grants an entity permission to assume the role
AWS.IAM.InstanceProfiles.Roles.Description Description of the role
AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration Maximum session duration (in seconds) for the specified role

Raw Output
The Role: EC2ReadOnly was added to the Instance Profile: testprofile

27. Remove a role from an instance profile


Adds a role to an instance profile in the Amazon IAM system.

Command Example

!aws-iam-remove-role-from-instance-profile instanceProfileName=testprofile roleName=EC2ReadOnly

AWS IAM Policy Permission

Effect: Allow
Action: iam:RemoveRoleFromInstanceProfile

Input
Parameter Description
instanceProfileName Name of the instance profile to update
roleName Name of the role to remove
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The Role: EC2ReadOnly was added to the Instance Profile: testprofile

28. List all instance profiles for a role


Lists all instance profile in the Amazon IAM system.

Command Example

!aws-iam-list-instance-profiles-for-role roleName=EC2ReadOnly

AWS IAM Policy Permission

Effect: Allow
Action: iam:ListInstanceProfilesForRole

Input
Parameter Description
roleName Name of the role to list instance profiles for
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.InstanceProfiles.Path Path to the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileName Name identifying the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileId Stable and unique string identifying the instance profile
AWS.IAM.InstanceProfiles.Arn Amazon Resource Name (ARN) specifying the instance profile
AWS.IAM.InstanceProfiles.CreateDate Instance profile creation date
AWS.IAM.InstanceProfiles.Roles.Path Path to the role
AWS.IAM.InstanceProfiles.Roles.RoleName Friendly name that identifies the role
AWS.IAM.InstanceProfiles.Roles.RoleId Stable and unique string identifying the role
AWS.IAM.InstanceProfiles.Roles.Arn Amazon Resource Name (ARN) specifying the role
AWS.IAM.InstanceProfiles.Roles.CreateDate Role creation date and time
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument Policy that grants an entity permission to assume the role
AWS.IAM.InstanceProfiles.Roles.Description Description of the role
AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration Maximum session duration (in seconds) for the specified role

Raw Output
[  
   {  
      "Arn":"arn:aws:iam::123456789:instance-profile/EC2ReadOnly",
      "CreateDate":"2018-05-11T11:27:55",
      "InstanceProfileId":"AIPAJAF5JLPIFDSAFJC6VF6RX5Y",
      "InstanceProfileName":"EC2ReadOnly",
      "Path":"/"
   },
   {  
      "Arn":"arn:aws:iam::123456789:instance-profile/test/testprofile",
      "CreateDate":"2018-06-05T07:35:28",
      "InstanceProfileId":"AIPAJRSDFQMQHSDF5CVUZSGMV76",
      "InstanceProfileName":"testprofile",
      "Path":"/test/"
   }
]

29. Get instance profile information


Returns profile information for an instance in the Amazon IAM system.

Command Example

!aws-iam-get-instance-profile instanceProfileName=testprofile

AWS IAM Policy Permission

Effect: Allow
Action: iam:GetInstanceProfile

Input
Parameter Description
instanceProfileName Name of the role to list instance profiles for
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.InstanceProfiles.Path Path to the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileName Name identifying the instance profile
AWS.IAM.InstanceProfiles.InstanceProfileId Stable and unique string identifying the instance profile
AWS.IAM.InstanceProfiles.Arn Amazon Resource Name (ARN) specifying the instance profile
AWS.IAM.InstanceProfiles.CreateDate Instance profile creation date
AWS.IAM.InstanceProfiles.Roles.Path Path to the role
AWS.IAM.InstanceProfiles.Roles.RoleName Friendly name that identifies the role
AWS.IAM.InstanceProfiles.Roles.RoleId Stable and unique string identifying the role
AWS.IAM.InstanceProfiles.Roles.Arn Amazon Resource Name (ARN) specifying the role
AWS.IAM.InstanceProfiles.Roles.CreateDate Role creation date and time
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument Policy that grants an entity permission to assume the role
AWS.IAM.InstanceProfiles.Roles.Description Description of the role
AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration Maximum session duration (in seconds) for the specified role

Raw Output
{  
   "Arn":"arn:aws:iam::123456789:instance-profile/test/testprofile",
   "CreateDate":"2018-06-05T07:35:28",
   "InstanceProfileId":"AIPAJRASDFQMQH5ASFCVUZSGMV76",
   "InstanceProfileName":"testprofile",
   "Path":"/test/",
   "RoleArn":"arn:aws:iam::123456789:role/EC2ReadOnly",
   "RoleId":"AROAASFIMZD2WAKSAFKUZK2QMR6",
   "RoleName":"EC2ReadOnly"
}

30. Get role information


Returns information for a role in the Amazon IAM system.

Command Example

!aws-iam-get-role roleName=ec2readonly

AWS IAM Policy Permission

Effect: Allow
Action: iam:GetRole

Input
Parameter Description
roleName Name of the role to return information for
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.InstanceProfiles.Roles.Path Path to the role
AWS.IAM.InstanceProfiles.Roles.RoleName Friendly name that identifies the role
AWS.IAM.InstanceProfiles.Roles.RoleId Stable and unique string identifying the role
AWS.IAM.InstanceProfiles.Roles.Arn Amazon Resource Name (ARN) specifying the role
AWS.IAM.InstanceProfiles.Roles.CreateDate Role creation date and time
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument Policy that grants an entity permission to assume the role
AWS.IAM.InstanceProfiles.Roles.Description Description of the role
AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration Maximum session duration (in seconds) for the specified role

Raw Output
{  
   "Arn":"arn:aws:iam::123456789:role/EC2ReadOnly",
   "CreateDate":"2018-05-11T11:27:55",
   "Path":"/",
   "RoleId":"AROAISAFMZD2WAKKUSFZK2QMR6",
   "RoleName":"EC2ReadOnly"
}

31. Delete a role


Returns information for a role in the Amazon IAM system.

Command Example

!aws-iam-delete-role roleName=test-role

AWS IAM Policy Permission

Effect: Allow
Action: iam:DeleteRole

Input
Parameter Description
roleName Name of the role to delete
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The Role: test-role was deleted.

32. Create a role


Create a role in the Amazon IAM system.

Command Example
!aws-iam-create-role roleName=testrole assumeRolePolicyDocument="{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}" description="a test role"
AWS IAM Policy Permission

Effect: Allow
Action: iam:CreateRole

Input
Parameter Description
roleName Name of the role to create
assumeRolePolicyDocumentName Trust relationship policy document that grants an entity permission to assume the role
path Path to the role
description Description of the role
maxSessionDuration The maximum session duration (in hours) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum is one hour. Valid parameter values: 1 hour to 12 hours.
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.IAM.InstanceProfiles.Roles.Path Path to the role
AWS.IAM.InstanceProfiles.Roles.RoleName Friendly name that identifies the role
AWS.IAM.InstanceProfiles.Roles.RoleId Stable and unique string identifying the role
AWS.IAM.InstanceProfiles.Roles.Arn Amazon Resource Name (ARN) specifying the role
AWS.IAM.InstanceProfiles.Roles.CreateDate Role creation date and time
AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument Policy that grants an entity permission to assume the role
AWS.IAM.InstanceProfiles.Roles.Description Description of the role
AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration Maximum session duration (in seconds) for the specified role

Raw Output
{  
   "Arn":"arn:aws:iam::123456789:role/test-role",
   "Path":"/",
   "RoleId":"ARsdOAJGHGQNWTADXZ2TT3DKY",
   "RoleName":"test-role"
}

33. Create a policy


Creates a new managed policy for your AWS account. This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version.

Base Command

aws-iam-create-policy

Input
Argument Name Description Required
policyName The friendly name of the policy. Required
policyDocument The JSON policy document that you want to use as the content for the new policy. Required
path The path for the policy. Optional
description A friendly description of the policy. Optional
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session. Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional
Context Output
Path Type Description
AWS.IAM.Policies.PolicyName string The friendly name (not ARN) identifying the policy.
AWS.IAM.Policies.PolicyId string The stable and unique string identifying the policy.
AWS.IAM.Policies.Arn string The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.
AWS.IAM.Policies.Path string The path to the policy.
AWS.IAM.Policies.DefaultVersionId string The identifier for the version of the policy that is set as the default version.
AWS.IAM.Policies.AttachmentCount number The number of entities (users, groups, and roles) that the policy is attached to.
AWS.IAM.Policies.PermissionsBoundaryUsageCount number The number of entities (users and roles) for which the policy is used to set the permissions boundary.
AWS.IAM.Policies.IsAttachable boolean Specifies whether the policy can be attached to an IAM user, group, or role.
AWS.IAM.Policies.Description string A friendly description of the policy.
AWS.IAM.Policies.CreateDate date Date and time the policy was created, in ISO 8601 date-time format
AWS.IAM.Policies.UpdateDate date Date and time the policy was updated, in ISO 8601 date-time format
Command Example
!aws-iam-create-policy policyName=test-policy policyDocument="{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "guardduty:CreateIPSet",
"Resource": "arn:aws:guardduty:::detector/"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "guardduty:CreateDetector",
"Resource": "
"
}
]
}"
Context Example

image

Human Readable Output

image

34. Delete a policy


Deletes the specified managed policy. Before you can delete a managed policy, you must first detach the policy from all users, groups, and roles that it is attached to. In addition you must delete all the policy's versions.

Base Command

aws-iam-delete-policy

Input
Argument Name Description Required
policyArn The Amazon Resource Name (ARN) of the IAM policy you want to delete. Required
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session. Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional
Context Output

There is no context output for this command.

Command Example
!aws-iam-delete-policy policyArn=arn:aws:iam::123456789:policy/test-policy
Human Readable Output

image

35. Create a new version of a policy


Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version. Optionally, you can set the new version as the policy's default version. The default version is the version that is in effect for the IAM users, groups, and roles to which the policy is attached.

Base Command

aws-iam-create-policy-version

Input
Argument Name Description Required
policyArn The Amazon Resource Name (ARN) of the IAM policy to which you want to add a new version. Required
policyDocument The JSON policy document that you want to use as the content for this new version of the policy. Required
setAsDefault Specifies whether to set this version as the policy's default version. Optional
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session. Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional
Context Output
Path Type Description
AWS.IAM.Policies.Versions.Document string The policy document.
AWS.IAM.Policies.Versions.VersionId string The identifier for the policy version.
AWS.IAM.Policies.Versions.IsDefaultVersion string The identifier for the policy version.
AWS.IAM.Policies.Versions.CreateDate string Date and time the policy version was created, in ISO 8601 date-time format
Command Example
!aws-iam-create-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy policyDocument="{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "guardduty:CreateIPSet",
"Resource": "arn:aws:guardduty:::detector/"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "guardduty:CreateDetector",
"Resource": "
"
}
]
}" setAsDefault=True
Context Example

image

Human Readable Output

image

36.  Delete a policy version


Deletes the specified version from the specified managed policy. You cannot delete the default version from a policy using this API. To delete the default version from a policy, use DeletePolicy . To find out which version of a policy is marked as the default version, use ListPolicyVersions .

Base Command

aws-iam-delete-policy-version

Input
Argument Name Description Required
policyArn The Amazon Resource Name (ARN) of the IAM policy from which you want to delete a version. Required
versionId The policy version to delete. Required
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session. Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional
Context Output

There is no context output for this command.

Command Example
!aws-iam-delete-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy versionId=v1
Human Readable Output

image

37. Get information for all versions of a policy


Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version.

Base Command

aws-iam-list-policy-versions

Input
Argument Name Description Required
policyArn The Amazon Resource Name (ARN) of the IAM policy for which you want the versions. Required
Context Output
Path Type Description
AWS.IAM.Policies.Versions.Document string The policy document
AWS.IAM.Policies.Versions.VersionId string The identifier for the policy version
AWS.IAM.Policies.Versions.IsDefaultVersion boolean Specifies whether the policy version is set as the policy's default version
AWS.IAM.Policies.Versions.CreateDate date Date and time the policy version was created, in ISO 8601 date-time format
Command Example
!aws-iam-list-policy-versions policyArn=arn:aws:iam::123456789:policy/test-policy
Context Example

image

Human Readable Output

image

38. Get information for a policy version


Retrieves information about the specified version of the specified managed policy, including the policy document.

Base Command

aws-iam-get-policy-version

Input
Argument Name Description Required
policyArn The Amazon Resource Name (ARN) of the managed policy that you want information about Required
versionId Identifies the policy version to retrieve Required
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional
Context Output
Path Description
AWS.IAM.Policies.Versions.Document The policy document
AWS.IAM.Policies.Versions.VersionId The identifier for the policy version
AWS.IAM.Policies.Versions.IsDefaultVersion Specifies whether the policy version is set as the policy's default version
AWS.IAM.Policies.Versions.CreateDate Date and time the policy version was created, in ISO 8601 date-time format
Command Example
!aws-iam-get-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy versionId=v3
Context Example

image

Human Readable Output

image

39. Set a default (operative) policy version


Sets the specified version of the specified policy as the policy's default (operative) version. This operation affects all users, groups, and roles that the policy is attached to.

Base Command

aws-iam-set-default-policy-version

Input
Argument Name Description Required
policyArn The Amazon Resource Name (ARN) of the IAM policy whose default version you want to set Required
versionId The version of the policy to set as the default (operative) version Required
roleArn The Amazon Resource Name (ARN) of the role to assume Optional
roleSessionName An identifier for the assumed role session Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role Optional
Context Output

There is no context output for this command.

Command Example
!aws-iam-set-default-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy versionId=v2
Human Readable Output

image

40. Create an account alias


Creates an alias for your AWS account.

Base Command

aws-iam-create-account-alias

Input
Argument Name Description Required
accountAlias The account alias to create Required
roleArn The Amazon Resource Name (ARN) of the role to assume Optional
roleSessionName An identifier for the assumed role session Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role Optional
Context Output

There is no context output for this command.

Command Example
!aws-iam-create-account-alias accountAlias=test-alias
Human Readable Output

image

41. Delete an account alias


Deletes the specified AWS account alias.

Base Command

aws-iam-delete-account-alias

Input
Argument Name Description Required
accountAlias The name of the account alias to delete Required
roleArn The Amazon Resource Name (ARN) of the role to assume Optional
roleSessionName An identifier for the assumed role session Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role Optional
Context Output

There is no context output for this command.

Command Example
!aws-iam-delete-account-alias accountAlias=demisto-test-alias
Human Readable Output

image