AWS - IAM
Use this integration to manage identity and access on the AWS platform.
We recommend that you use roles that have the following bulit-in AWS policies:
- IAMFullAccess
- IAMReadOnlyAccess
Prerequisites
It is important that you familiarize yourself with and complete all steps detailed in the Amazon AWS Integrations Configuration Guide .
Configure the AWS IAM Integration on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for AWS - IAM.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Role Arn
- Role Session Name
- Role Session Duration
- Click Test to validate the URLs and token.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Create a user: aws-iam-create-user
- Get user information: aws-iam-get-user
- Get a list of users: aws-iam-list-users
- Update user information: aws-iam-update-user
- Delete a user: aws-iam-delete-user
- Update a user's password: aws-iam-login-profile
- Create a group: aws-iam-create-group
- Get a list of groups: aws-iam-list-groups
- List all groups a user is part of: aws-iam-list-groups-for-user
- Add a user to a group: aws-iam-add-user-to-group
- Create an access key: aws-iam-create-access-key
- Update an access key: aws-iam-update-access-key
- List all access keys for a user: aws-iam-list-access-keys-for-user
- List all policies: aws-iam-list-policies
- List all roles: aws-iam-list-roles
- Attach a policy to an entity: aws-iam-attach-policy
- Detach a policy from an entity: aws-iam-detach-policy
- Delete a user's password: aws-iam-delete-login-profile
- Delete a group: aws-iam-delete-group
- Remove a user from a group: aws-iam-remove-user-from-group
- Create a password for a user: aws-iam-create-login-profile
- Delete an access key: aws-iam-delete-access-key
- Create an instance profile: aws-iam-create-instance-profile
- Delete an instance profile: aws-iam-delete-instance-profile
- List all instance profiles: aws-iam-list-instance-profiles
- Add a role to an instance profile: aws-iam-add-role-to-instance-profile
- Remove a role from an instance profile: aws-iam-remove-role-from-instance-profile
- List all instance profiles for a role: aws-iam-list-instance-profiles-for-role
- Get instance profile information: aws-iam-get-instance-profile
- Get role information: aws-iam-get-role
- Delete a role: aws-iam-delete-role
- Create a role: aws-iam-create-role
- Create a policy: aws-iam-create-policy
- Delete a policy: aws-iam-delete-policy
- Create a new version of a policy: aws-iam-create-policy-version
- Delete a version of a policy: aws-iam-delete-policy-version
- Get information for all versions of a policy: aws-iam-list-policy-versions
- Get information for a policy version: aws-iam-get-policy-version
- Set a default (operative) policy version: aws-iam-set-default-policy-version
- Create an account alias: aws-iam-create-account-alias
- Delete an account alias: aws-iam-delete-account-alias
1. Create a user
Creates a user in the Amazon IAM system.
Command Example
!aws-iam-create-user userName=Test path=/testusers/
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:CreateUser
Input
| Parameter | Description |
| userName | Name of the user to create |
| path | Path for the username. This parameter is optional. If it is not included in the command, it defaults to a forward slash (/). |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.Route53.RecordSetsChange.Id | Request ID |
| AWS.Route53.RecordSetsChange.Status | Current state of the request. PENDING indicates that the request has not yet been applied to all Amazon Route 53 DNS servers. |
| AWS.Route53.RecordSetsChange.Comment | A complex type that describes change information about changes made to your hosted zone. |
Raw Output
{
"Arn":"arn:aws:iam::123456789:user/testusers/Test2",
"CreateDate":"2018-06-04T12:12:20",
"Path":"/testusers/",
"UserId":"AIDSECGFSTGLFJWJXSXMC",
"UserName":"Test2"
}
2. Get user information
Returns information about a user in the Amazon IAM system.
Command Example
!aws-iam-get-user userName=test
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:GetUser
Input
| Parameter | Description |
| userName | Name of the user to create |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.Users.UserName | Friendly name to identify the user |
| AWS.IAM.Users.UserId | stable and unique string identifying the user |
| AWS.IAM.Users.Arn | Amazon Resource Name (ARN) that identifies the user |
| AWS.IAM.Users.CreateDate | Date and time when the user was created |
| AWS.IAM.Users.Path | Path to the user |
| AWS.IAM.Users.PasswordLastUsed | Date and time when the user's password was last used to sign in to an AWS website |
Raw Output
{
"Arn":"arn:aws:iam::123456789:user/testusers/Test",
"CreateDate":"2018-06-04T12:11:20",
"Path":"/testusers/",
"UserId":"AIDASDADJDHKMTAUTCUZRQH26",
"UserName":"Test"
}
3. Get a list of users
Returns a list of all users in the Amazon IAM system.
Command Example
!aws-iam-list-users
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:ListUsers
Input
| Parameter | Description |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.Users.UserName | Friendly name to identify the user |
| AWS.IAM.Users.UserId | Stable and unique string identifying the user |
| AWS.IAM.Users.Arn | Amazon Resource Name (ARN) that identifies the user |
| AWS.IAM.Users.CreateDate | Date and time when the user was created |
| AWS.IAM.Users.Path | Path to the user |
Raw Output
[
{
"Arn":"arn:aws:iam::123456789:user/testusers/Test",
"CreateDate":"2018-06-04 12:11:20",
"Path":"/testusers/",
"UserId":"AIDASFDASFSAJDHKMTAUTCUZRQH26",
"UserName":"Test"
},
{
"Arn":"arn:aws:iam::123456789:user/testusers/Test2",
"CreateDate":"2018-06-04 12:12:20",
"Path":"/testusers/",
"UserId":"AIDAI3Z2WTADFADGAGLFJWJXSXMC",
"UserName":"Test2"
}
]
4. Update user information
Returns a list of all users in the Amazon IAM system.
Command Example
!aws-iam-update-user oldUserName=test newUserName=NewUserName34 newPath=/iamtest/
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:UpdateUser
Input
| Parameter | Description |
| oldUserName | Name of the user to update |
| newUserName | New name for the user. Include this parameter only if you are changing the user's name. |
| newPath | New path for the user. Include this parameter only if you are changing the user's path. |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
Changed UserName test To: NewUserName34
5. Delete a user
Deletes a user from the the Amazon IAM system.
Command Example
!aws-iam-delete-user userName=userName34
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:DeleteUser
Input
| Parameter | Description |
| userName | Name of the user to delete |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The user userName34 has been deleted
6. Update a user's password
Update the password for a user in the the Amazon IAM system.
Command Example
!aws-iam-update-login-profile userName=userName34 newPassword=ArdVaEC@1#$F%g% passwordResetRequired=True raw-response=true
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:UpdateLoginProfile
Input
| Parameter | Description |
| userName | Name of the user you want to update the password for |
| newPassword | New password for the specified IAM user |
| passwordResetRequired | Specifies whether the user is required to set a new password on next sign in. |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The password for user userName34 was changed.
7. Create a group
Creates a group in the Amazon IAM system.
Command Example
!aws-iam-create-group groupName=test path=/testgroups/
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:CreateGroup
Input
| Parameter | Description |
| groupName | Name of the group to create. Do not include the path in this value. |
| path | Path to the group |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.Groups.GroupName | Friendly name to identify the group |
| AWS.IAM.Groups.GroupId | Stable and unique string identifying the group |
| AWS.IAM.Groups.Arn | Amazon Resource Name (ARN) that specifies the group |
| AWS.IAM.Groups.CreateDate | Date and time when the group was created |
| AWS.IAM.Groups.Path | Path to the group |
Raw Output
{
"Arn":"arn:aws:iam::123456789:group/testgroups/test",
"CreateDate":"2018-06-04T13:32:34",
"GroupId":"AGPAJH6IZW4TASFDUWDJVPQG",
"GroupName":"test",
"Path":"/testgroups/"
}
8. Get a list of groups
Returns a list of all groups in the Amazon IAM system.
Command Example
!aws-iam-list-groups
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:ListGroups
Input
| Parameter | Description |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.Groups.GroupName | Friendly name to identify the group |
| AWS.IAM.Groups.GroupId | Stable and unique string identifying the group |
| AWS.IAM.Groups.Arn | Amazon Resource Name (ARN) that specifies the group |
| AWS.IAM.Groups.CreateDate | Date and time when the group was created |
| AWS.IAM.Groups.Path | Path to the group |
Raw Output
[
{
"Arn":"arn:aws:iam::123456789:group/Admins",
"CreateDate":"2017-11-01T08:32:39",
"GroupId":"AGPAJVFASADEZ5LCW",
"GroupName":"Admins",
"Path":"/"
},
{
"Arn":"arn:aws:iam::123456789:group/Developers",
"CreateDate":"2017-11-01T08:33:22",
"GroupId":"AGPAI2DADAD3V4XGPRNRCVZYCG",
"GroupName":"Developers",
"Path":"/"
},
{
"Arn":"arn:aws:iam::123456789:group/testgroups/test",
"CreateDate":"2018-06-04T13:32:34",
"GroupId":"AGPAJH6IZWADFASD4TDUWDJVPQG",
"GroupName":"test",
"Path":"/testgroups/"
}
]
9. List all groups a user is part of
Returns a list of all groups that a specified user is part of in the Amazon IAM system.
Command Example
!aws-iam-list-groups-for-user userName=test
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:ListGroupsForUser
Input
| Parameter | Description |
| userName | Name of the user to list groups for |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.Groups.GroupName | Friendly name to identify the group |
| AWS.IAM.Groups.GroupId | Stable and unique string identifying the group |
| AWS.IAM.Groups.Arn | Amazon Resource Name (ARN) that specifies the group |
| AWS.IAM.Groups.CreateDate | Date and time when the group was created |
| AWS.IAM.Groups.Path | Path to the group |
Raw Output
[
{
"Arn":"arn:aws:iam::123456789:group/testgroups/test",
"CreateDate":"2018-06-04T13:32:34",
"GroupId":"AGPAJH6IZSAFW4TDUWDJVPQG",
"GroupName":"test",
"Path":"/testgroups/",
"UserName":"test"
}
]
10. Add a user to a group
Adds an IAM user to a group in the Amazon IAM system.
Command Example
!aws-iam-add-user-to-group userName=userName34 groupName=test
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:AddUserToGroup
Input
| Parameter | Description |
| userName | Name of the user to add to a group |
| groupName | Name of the group to add the user to |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The user userName34 was added to the IAM group: test.
11. Create an access key
Creates an access key for an IAM user in the Amazon IAM system.
Command Example
!aws-iam-create-access-key userName=userName34
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:CreateAccessKey
Input
| Parameter | Description |
| userName | Name of the user the key is created for |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.Users.AccessKeys.AccessKeyId | ID for this access key |
| AWS.IAM.Users.AccessKeys.SecretAccessKey | Secret key used to sign requests |
| AWS.IAM.Users.AccessKeys.Status | Status of the access key. Active means that the key is valid for API calls, Inactive means it is not valid for API calls. |
| AWS.IAM.Users.AccessKeys.CreateDate | Access key creation date |
Raw Output
{
"AccessKeyId":"AKIASADI6QUYJTFBVHEC5WA",
"CreateDate":"2018-06-05T06:19:00",
"SecretAccessKey":"Yj2WWHtipDADADDgZoU7Bvl",
"Status":"Active",
"UserName":"userName34"
}
12. Update an access key
Changes the status of an access key for an IAM user in the Amazon IAM system.
Command Example
!aws-iam-update-access-key userName=test accessKeyId=AKIAJSFAUQ7EDFPN7Y2D2A status=Inactive
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:UpdateAccessKey
Input
| Parameter | Description |
| userName | Name of the user you want to update the access key for |
| accessKeyId | ID of the access key you want to update |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
Access Key with ID AKIAJUQASDAF7E7X5PY2D2A was set to status: Inactive.
13. List all access keys for a user
Lists all access keys for an IAM user in the Amazon IAM system.
Command Example
!aws-iam-list-access-keys-for-user userName=userName34
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:ListAccessKeys
Input
| Parameter | Description |
| userName | Name of the user you want to list all keys for |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.Users.AccessKeys.AccessKeyId | ID for this access key |
| AWS.IAM.Users.AccessKeys.Status | Status of the access key. Active means that the key is valid for API calls, Inactive means it is not valid for API calls. |
| AWS.IAM.Users.AccessKeys.CreateDate | Access key creation date |
| AWS.IAM.Users.AccessKeys.UserName | Name of the IAM user that the key is associated with |
Raw Output
[
{
"AccessKeyId":"AKISFX5PN7Y2D2A",
"CreateDate":"2018-06-05T06:19:44",
"Status":"Inactive",
"UserName":"userName34"
},
{
"AccessKeyId":"AKIAI6SFAQUYJTFBVHEC5WA",
"CreateDate":"2018-06-05T06:19:00",
"Status":"Active",
"UserName":"userName34"
}
]
14. List all policies
Lists all policies, either AWS managed policies or locally managed policies.
Command Example
!aws-iam-list-policies scope=AWS onlyAttached=True
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:ListPolicies
Input
| Parameter | Description |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.Policies.PolicyName | Friendly name identifying the policy (not the ARN) |
| AWS.IAM.Policies.PolicyId | Stable and unique string identifying the policy |
| AWS.IAM.Policies.Arn | Amazon Resource Name (ARN) |
| AWS.IAM.Policies.Path | Path to the policy. |
| AWS.IAM.Policies.DefaultVersionId | Identifier for the version of the policy that is set as the default version |
| AWS.IAM.Policies.IsAttachable | Specifies whether the policy can be attached to an IAM user, group, or role |
| AWS.IAM.Policies.CreateDate | Policy creation date |
| AWS.IAM.Policies.UpdateDate | Date policy was last updated |
| AWS.IAM.Policies.AttachmentCount | Number of entities (users, groups, and roles) that the policy is attached to |
Raw Output
[
{
"Arn":"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"AttachmentCount":1,
"CreateDate":"2015-02-06T18:40:15",
"DefaultVersionId":"v4",
"IsAttachable":true,
"Path":"/",
"PolicyId":"ANPAI3VAJF5ZCRZ7MCQE6",
"PolicyName":"AmazonEC2FullAccess",
"UpdateDate":"2018-02-08T18:11:24"
},
{
"Arn":"arn:aws:iam::aws:policy/AmazonSQSFullAccess",
"AttachmentCount":1,
"CreateDate":"2015-02-06T18:41:07",
"DefaultVersionId":"v1",
"IsAttachable":true,
"Path":"/",
"PolicyId":"ANPAI65L554VRJ33ECQS6",
"PolicyName":"AmazonSQSFullAccess",
"UpdateDate":"2015-02-06T18:41:07"
}
]
15. List all roles
Lists all roles in the Amazon IAM system.
Command Example
!aws-iam-list-roles
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:ListRoles
Input
| Parameter | Description |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.Roles.RoleName | Friendly name that identifies the role |
| AWS.IAM.Roles.RoleId | Stable and unique string identifying the role |
| AWS.IAM.Roles.Arn | Amazon Resource Name (ARN) specifying the role |
| AWS.IAM.Roles.CreateDate | Date and time the role was created |
| AWS.IAM.Roles.Path | Path to the role |
| AWS.IAM.Roles.AssumeRolePolicyDocument | Policy that grants an entity permission to assume the role |
| AWS.IAM.Roles.Description | Description of the role that you provide |
| AWS.IAM.Roles.MaxSessionDuration | The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter. |
Raw Output
[
{
"Arn":"arn:aws:iam::123456789:role/AdminAccess",
"CreateDate":"2018-05-11T11:27:02",
"Path":"/",
"RoleId":"AROAIASM66GZ3IZaDY645EFQ",
"RoleName":"AdminAccess"
},
{
"Arn":"arn:aws:iam::123456789:role/service-role/AMI_Info",
"CreateDate":"2018-04-22T19:14:14",
"Path":"/service-role/",
"RoleId":"AROAADIECFBPADNVAAS2ADKTHG4",
"RoleName":"AMI_Info"
}
]
16. Attach a policy to an entity
Attach a policy to an entity in the Amazon IAM system.
Command Example
!aws-iam-attach-policy type=User entityName=userName34 policyArn=arn:aws:iam::aws:policy/AmazonSQSFullAccess
AWS IAM Policy Permission
Effect:
Allow
Actions:
iam:AttachGroupPolicy
,
iam:AttachRolePolicy
,
iam:AttachUserPolicy
Input
| Parameter | Description |
| type | IAM entity type |
| entityName | Friendly name of the IAM entity to attach the policy to (not the ARN) |
| policyArn | Amazon Resource Name (ARN) of the IAM policy you want to attach |
Context Output
There is no context output for this command.
Raw Output
Policy was attached to User: userName34
17. Detach a policy from an entity
Detaches a policy from an IAM entity in the Amazon IAM system.
Command Example
!aws-iam-detach-policy type=User entityName=userName34 policyArn=arn:aws:iam::aws:policy/AmazonSQSFullAccess
AWS IAM Policy Permission
Effect:
Allow
Actions:
iam:DetachGroupPolicy
,
iam:DetachRolePolicy
,
iam:DetachUserPolicy
Input
| Parameter | Description |
| type | IAM entity type |
| entityName | Friendly name of the IAM entity to detach the policy from (not ARN) |
| policyArn | Amazon Resource Name (ARN) of the policy to detach |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
Policy was detached from User: userName34
18. Delete a user's password
Delete the password of an IAM entity in the Amazon IAM system.
Command Example
!aws-iam-delete-login-profile userName=userName34
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:DeleteLoginProfile
Input
| Parameter | Description |
| userName | Name of the user you want to delete the password for |
| policyArn | Amazon Resource Name (ARN) of the policy to detach |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The user userName34 login profile has been deleted.
19. Delete a group
Delete a group from the Amazon IAM system.
Command Example
!aws-iam-delete-group groupName=Group123
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:DeleteGroup
Input
| Parameter | Description |
| groupName | Name of the IAM group to delete |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The group Group123 has been deleted.
20. Remove a user from a group
Remove a user from a group in the Amazon IAM system.
Command Example
!aws-iam-remove-user-from-group userName=userName34 groupName=Group123
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:RemoveUserFromGroup
Input
| Parameter | Description |
| userName | Name of the user to remove from a group |
| groupName | Name of the IAM group to update (remove the user from) |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The user userName34 has been removed from group Group123.
21. Create a password for a user
Create a password for an IAM user in the Amazon IAM system.
Command Example
!aws-iam-create-login-profile userName=userName34 password=Avd#sdf$12VB6*cvg passwordResetRequired=True
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:CreateLoginProfile
Input
| Parameter | Description |
| userName | Name of the user to remove from a group |
| password | New password for the IAM user |
| passwordResetRequired | Specifies whether the user is required to set a new password on next sign in. |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
Login profile was created for user userName34.
22. Delete an access key
Create a password for an IAM user in the Amazon IAM system.
Command Example
!aws-iam-delete-access-key userName=userName34 AccessKeyId=AKIAJUAKDJQ7E7X5PADN7Y2D2A
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:DeleteAccessKey
Input
| Parameter | Description |
| userName | Name of the user to remove from a group |
| AccessKeyId | Access key ID for the access key to delete |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The Access Key was deleted.
23. Create an instance profile
Creates an instance profile in the Amazon IAM system.
Command Example
!aws-iam-create-instance-profile instanceProfileName=testprofile path=/test/
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:CreateInstanceProfile
Input
| Parameter | Description |
| instanceProfileName | Name of the instance profile to create |
| path | Path to the instance profile |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.InstanceProfiles.Path | Path to the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileName | Name identifying the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileId | Stable and unique string identifying the instance profile |
| AWS.IAM.InstanceProfiles.Arn | Amazon Resource Name (ARN) specifying the instance profile |
| AWS.IAM.InstanceProfiles.CreateDate | Instance profile creation date |
Raw Output
{
"Arn":"arn:aws:iam::123456789:instance-profile/test/testprofile",
"CreateDate":"2018-06-05T07:30:15",
"InstanceProfileId":"/test/",
"InstanceProfileName":"testprofile",
"Path":"/test/"
}
24. Delete an instance profile
Deletes an instance profile from the Amazon IAM system.
Command Example
!aws-iam-delete-instance-profile instanceProfileName=testprofile
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:DeleteInstanceProfile
Input
| Parameter | Description |
| instanceProfileName | Name of the instance profile to delete |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The InstanceProfile: testprofile was deleted.
25. List all instance profiles
Lists all instance profile in the Amazon IAM system.
Command Example
!aws-iam-list-instance-profiles
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:ListInstanceProfiles
Input
| Parameter | Description |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.InstanceProfiles.Path | Path to the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileName | Name identifying the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileId | Stable and unique string identifying the instance profile |
| AWS.IAM.InstanceProfiles.Arn | Amazon Resource Name (ARN) specifying the instance profile |
| AWS.IAM.InstanceProfiles.CreateDate | Instance profile creation date |
| AWS.IAM.InstanceProfiles.Roles.Path | Path to the role |
| AWS.IAM.InstanceProfiles.Roles.RoleName | Friendly name that identifies the role |
| AWS.IAM.InstanceProfiles.Roles.RoleId | Stable and unique string identifying the role |
| AWS.IAM.InstanceProfiles.Roles.Arn | Amazon Resource Name (ARN) specifying the role |
| AWS.IAM.InstanceProfiles.Roles.CreateDate | Role creation date and time |
| AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument | Policy that grants an entity permission to assume the role |
| AWS.IAM.InstanceProfiles.Roles.Description | Description of the role |
| AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration | Maximum session duration (in seconds) for the specified role |
Raw Output
[
{
"Arn":"arn:aws:iam::123456789:instance-profile/EC2ReadOnly",
"CreateDate":"2018-05-11T11:27:55",
"InstanceProfileId":"AIPAAFDFAJ5JLPIFSAFJC6VF6RX5Y",
"InstanceProfileName":"EC2ReadOnly",
"Path":"/",
"RoleArn":"arn:aws:iam::123456789:role/EC2ReadOnly",
"RoleId":"AR234OAIMZD2SAFWAKKUZK2QMR6",
"RoleName":"EC2ReadOnly"
},
{
"Arn":"arn:aws:iam::123456789:instance-profile/SystemsManagerEC2Role",
"CreateDate":"2018-05-01T14:35:28",
"InstanceProfileId":"AIPSAFAJN4P5VISFaPFZETEOXOE",
"InstanceProfileName":"SystemsManagerEC2Role",
"Path":"/",
"RoleArn":"arn:aws:iam::123456789:role/SystemsManagerEC2Role",
"RoleId":"AROAJDLFEISFAZK5MP4DSDFYVE4",
"RoleName":"SystemsManagerEC2Role"
}
]
26. Add a role to an instance profile
Adds a role to an instance profile in the Amazon IAM system.
Command Example
!aws-iam-add-role-to-instance-profile instanceProfileName=testprofile roleName=EC2ReadOnly
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:AddRoleToInstanceProfile
Input
| Parameter | Description |
| instanceProfileName | Name of the instance profile to update |
| roleName | Name of the role to add |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.InstanceProfiles.Path | Path to the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileName | Name identifying the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileId | Stable and unique string identifying the instance profile |
| AWS.IAM.InstanceProfiles.Arn | Amazon Resource Name (ARN) specifying the instance profile |
| AWS.IAM.InstanceProfiles.CreateDate | Instance profile creation date |
| AWS.IAM.InstanceProfiles.Roles.Path | Path to the role |
| AWS.IAM.InstanceProfiles.Roles.RoleName | Friendly name that identifies the role |
| AWS.IAM.InstanceProfiles.Roles.RoleId | Stable and unique string identifying the role |
| AWS.IAM.InstanceProfiles.Roles.Arn | Amazon Resource Name (ARN) specifying the role |
| AWS.IAM.InstanceProfiles.Roles.CreateDate | Role creation date and time |
| AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument | Policy that grants an entity permission to assume the role |
| AWS.IAM.InstanceProfiles.Roles.Description | Description of the role |
| AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration | Maximum session duration (in seconds) for the specified role |
Raw Output
The Role: EC2ReadOnly was added to the Instance Profile: testprofile
27. Remove a role from an instance profile
Adds a role to an instance profile in the Amazon IAM system.
Command Example
!aws-iam-remove-role-from-instance-profile instanceProfileName=testprofile roleName=EC2ReadOnly
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:RemoveRoleFromInstanceProfile
Input
| Parameter | Description |
| instanceProfileName | Name of the instance profile to update |
| roleName | Name of the role to remove |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The Role: EC2ReadOnly was added to the Instance Profile: testprofile
28. List all instance profiles for a role
Lists all instance profile in the Amazon IAM system.
Command Example
!aws-iam-list-instance-profiles-for-role roleName=EC2ReadOnly
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:ListInstanceProfilesForRole
Input
| Parameter | Description |
| roleName | Name of the role to list instance profiles for |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.InstanceProfiles.Path | Path to the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileName | Name identifying the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileId | Stable and unique string identifying the instance profile |
| AWS.IAM.InstanceProfiles.Arn | Amazon Resource Name (ARN) specifying the instance profile |
| AWS.IAM.InstanceProfiles.CreateDate | Instance profile creation date |
| AWS.IAM.InstanceProfiles.Roles.Path | Path to the role |
| AWS.IAM.InstanceProfiles.Roles.RoleName | Friendly name that identifies the role |
| AWS.IAM.InstanceProfiles.Roles.RoleId | Stable and unique string identifying the role |
| AWS.IAM.InstanceProfiles.Roles.Arn | Amazon Resource Name (ARN) specifying the role |
| AWS.IAM.InstanceProfiles.Roles.CreateDate | Role creation date and time |
| AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument | Policy that grants an entity permission to assume the role |
| AWS.IAM.InstanceProfiles.Roles.Description | Description of the role |
| AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration | Maximum session duration (in seconds) for the specified role |
Raw Output
[
{
"Arn":"arn:aws:iam::123456789:instance-profile/EC2ReadOnly",
"CreateDate":"2018-05-11T11:27:55",
"InstanceProfileId":"AIPAJAF5JLPIFDSAFJC6VF6RX5Y",
"InstanceProfileName":"EC2ReadOnly",
"Path":"/"
},
{
"Arn":"arn:aws:iam::123456789:instance-profile/test/testprofile",
"CreateDate":"2018-06-05T07:35:28",
"InstanceProfileId":"AIPAJRSDFQMQHSDF5CVUZSGMV76",
"InstanceProfileName":"testprofile",
"Path":"/test/"
}
]
29. Get instance profile information
Returns profile information for an instance in the Amazon IAM system.
Command Example
!aws-iam-get-instance-profile instanceProfileName=testprofile
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:GetInstanceProfile
Input
| Parameter | Description |
| instanceProfileName | Name of the role to list instance profiles for |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.InstanceProfiles.Path | Path to the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileName | Name identifying the instance profile |
| AWS.IAM.InstanceProfiles.InstanceProfileId | Stable and unique string identifying the instance profile |
| AWS.IAM.InstanceProfiles.Arn | Amazon Resource Name (ARN) specifying the instance profile |
| AWS.IAM.InstanceProfiles.CreateDate | Instance profile creation date |
| AWS.IAM.InstanceProfiles.Roles.Path | Path to the role |
| AWS.IAM.InstanceProfiles.Roles.RoleName | Friendly name that identifies the role |
| AWS.IAM.InstanceProfiles.Roles.RoleId | Stable and unique string identifying the role |
| AWS.IAM.InstanceProfiles.Roles.Arn | Amazon Resource Name (ARN) specifying the role |
| AWS.IAM.InstanceProfiles.Roles.CreateDate | Role creation date and time |
| AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument | Policy that grants an entity permission to assume the role |
| AWS.IAM.InstanceProfiles.Roles.Description | Description of the role |
| AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration | Maximum session duration (in seconds) for the specified role |
Raw Output
{
"Arn":"arn:aws:iam::123456789:instance-profile/test/testprofile",
"CreateDate":"2018-06-05T07:35:28",
"InstanceProfileId":"AIPAJRASDFQMQH5ASFCVUZSGMV76",
"InstanceProfileName":"testprofile",
"Path":"/test/",
"RoleArn":"arn:aws:iam::123456789:role/EC2ReadOnly",
"RoleId":"AROAASFIMZD2WAKSAFKUZK2QMR6",
"RoleName":"EC2ReadOnly"
}
30. Get role information
Returns information for a role in the Amazon IAM system.
Command Example
!aws-iam-get-role roleName=ec2readonly
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:GetRole
Input
| Parameter | Description |
| roleName | Name of the role to return information for |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.InstanceProfiles.Roles.Path | Path to the role |
| AWS.IAM.InstanceProfiles.Roles.RoleName | Friendly name that identifies the role |
| AWS.IAM.InstanceProfiles.Roles.RoleId | Stable and unique string identifying the role |
| AWS.IAM.InstanceProfiles.Roles.Arn | Amazon Resource Name (ARN) specifying the role |
| AWS.IAM.InstanceProfiles.Roles.CreateDate | Role creation date and time |
| AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument | Policy that grants an entity permission to assume the role |
| AWS.IAM.InstanceProfiles.Roles.Description | Description of the role |
| AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration | Maximum session duration (in seconds) for the specified role |
Raw Output
{
"Arn":"arn:aws:iam::123456789:role/EC2ReadOnly",
"CreateDate":"2018-05-11T11:27:55",
"Path":"/",
"RoleId":"AROAISAFMZD2WAKKUSFZK2QMR6",
"RoleName":"EC2ReadOnly"
}
31. Delete a role
Returns information for a role in the Amazon IAM system.
Command Example
!aws-iam-delete-role roleName=test-role
AWS IAM Policy Permission
Effect:
Allow
Action:
iam:DeleteRole
Input
| Parameter | Description |
| roleName | Name of the role to delete |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The Role: test-role was deleted.
32. Create a role
Create a role in the Amazon IAM system.
Command Example
!aws-iam-create-role roleName=testrole assumeRolePolicyDocument="{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}" description="a test role"AWS IAM Policy Permission
Effect:
Allow
Action:
iam:CreateRole
Input
| Parameter | Description |
| roleName | Name of the role to create |
| assumeRolePolicyDocumentName | Trust relationship policy document that grants an entity permission to assume the role |
| path | Path to the role |
| description | Description of the role |
| maxSessionDuration | The maximum session duration (in hours) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum is one hour. Valid parameter values: 1 hour to 12 hours. |
| roleArn | Amazon Resource Name (ARN) of the role to assume |
| roleSessionName | Identifier for the assumed role session |
| roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
| Path | Description |
| AWS.IAM.InstanceProfiles.Roles.Path | Path to the role |
| AWS.IAM.InstanceProfiles.Roles.RoleName | Friendly name that identifies the role |
| AWS.IAM.InstanceProfiles.Roles.RoleId | Stable and unique string identifying the role |
| AWS.IAM.InstanceProfiles.Roles.Arn | Amazon Resource Name (ARN) specifying the role |
| AWS.IAM.InstanceProfiles.Roles.CreateDate | Role creation date and time |
| AWS.IAM.InstanceProfiles.Roles.AssumeRolePolicyDocument | Policy that grants an entity permission to assume the role |
| AWS.IAM.InstanceProfiles.Roles.Description | Description of the role |
| AWS.IAM.InstanceProfiles.Roles.MaxSessionDuration | Maximum session duration (in seconds) for the specified role |
Raw Output
{
"Arn":"arn:aws:iam::123456789:role/test-role",
"Path":"/",
"RoleId":"ARsdOAJGHGQNWTADXZ2TT3DKY",
"RoleName":"test-role"
}
33. Create a policy
Creates a new managed policy for your AWS account. This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version.
Base Command
aws-iam-create-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policyName | The friendly name of the policy. | Required |
| policyDocument | The JSON policy document that you want to use as the content for the new policy. | Required |
| path | The path for the policy. | Optional |
| description | A friendly description of the policy. | Optional |
| roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
| roleSessionName | An identifier for the assumed role session. | Optional |
| roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| AWS.IAM.Policies.PolicyName | string | The friendly name (not ARN) identifying the policy. |
| AWS.IAM.Policies.PolicyId | string | The stable and unique string identifying the policy. |
| AWS.IAM.Policies.Arn | string | The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources. |
| AWS.IAM.Policies.Path | string | The path to the policy. |
| AWS.IAM.Policies.DefaultVersionId | string | The identifier for the version of the policy that is set as the default version. |
| AWS.IAM.Policies.AttachmentCount | number | The number of entities (users, groups, and roles) that the policy is attached to. |
| AWS.IAM.Policies.PermissionsBoundaryUsageCount | number | The number of entities (users and roles) for which the policy is used to set the permissions boundary. |
| AWS.IAM.Policies.IsAttachable | boolean | Specifies whether the policy can be attached to an IAM user, group, or role. |
| AWS.IAM.Policies.Description | string | A friendly description of the policy. |
| AWS.IAM.Policies.CreateDate | date | Date and time the policy was created, in ISO 8601 date-time format |
| AWS.IAM.Policies.UpdateDate | date | Date and time the policy was updated, in ISO 8601 date-time format |
Command Example
!aws-iam-create-policy policyName=test-policy policyDocument="{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "guardduty:CreateIPSet",
"Resource": "arn:aws:guardduty:::detector/"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "guardduty:CreateDetector",
"Resource": ""
}
]
}"
Context Example
Human Readable Output
34. Delete a policy
Deletes the specified managed policy. Before you can delete a managed policy, you must first detach the policy from all users, groups, and roles that it is attached to. In addition you must delete all the policy's versions.
Base Command
aws-iam-delete-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policyArn | The Amazon Resource Name (ARN) of the IAM policy you want to delete. | Required |
| roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
| roleSessionName | An identifier for the assumed role session. | Optional |
| roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
Context Output
There is no context output for this command.
Command Example
!aws-iam-delete-policy policyArn=arn:aws:iam::123456789:policy/test-policy
Human Readable Output
35. Create a new version of a policy
Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version. Optionally, you can set the new version as the policy's default version. The default version is the version that is in effect for the IAM users, groups, and roles to which the policy is attached.
Base Command
aws-iam-create-policy-version
Input
| Argument Name | Description | Required |
|---|---|---|
| policyArn | The Amazon Resource Name (ARN) of the IAM policy to which you want to add a new version. | Required |
| policyDocument | The JSON policy document that you want to use as the content for this new version of the policy. | Required |
| setAsDefault | Specifies whether to set this version as the policy's default version. | Optional |
| roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
| roleSessionName | An identifier for the assumed role session. | Optional |
| roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| AWS.IAM.Policies.Versions.Document | string | The policy document. |
| AWS.IAM.Policies.Versions.VersionId | string | The identifier for the policy version. |
| AWS.IAM.Policies.Versions.IsDefaultVersion | string | The identifier for the policy version. |
| AWS.IAM.Policies.Versions.CreateDate | string | Date and time the policy version was created, in ISO 8601 date-time format |
Command Example
!aws-iam-create-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy policyDocument="{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "guardduty:CreateIPSet",
"Resource": "arn:aws:guardduty:::detector/"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "guardduty:CreateDetector",
"Resource": ""
}
]
}" setAsDefault=True
Context Example
Human Readable Output
36. Delete a policy version
Deletes the specified version from the specified managed policy. You cannot delete the default version from a policy using this API. To delete the default version from a policy, use DeletePolicy . To find out which version of a policy is marked as the default version, use ListPolicyVersions .
Base Command
aws-iam-delete-policy-version
Input
| Argument Name | Description | Required |
|---|---|---|
| policyArn | The Amazon Resource Name (ARN) of the IAM policy from which you want to delete a version. | Required |
| versionId | The policy version to delete. | Required |
| roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
| roleSessionName | An identifier for the assumed role session. | Optional |
| roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
Context Output
There is no context output for this command.
Command Example
!aws-iam-delete-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy versionId=v1
Human Readable Output
37. Get information for all versions of a policy
Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version.
Base Command
aws-iam-list-policy-versions
Input
| Argument Name | Description | Required |
|---|---|---|
| policyArn | The Amazon Resource Name (ARN) of the IAM policy for which you want the versions. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| AWS.IAM.Policies.Versions.Document | string | The policy document |
| AWS.IAM.Policies.Versions.VersionId | string | The identifier for the policy version |
| AWS.IAM.Policies.Versions.IsDefaultVersion | boolean | Specifies whether the policy version is set as the policy's default version |
| AWS.IAM.Policies.Versions.CreateDate | date | Date and time the policy version was created, in ISO 8601 date-time format |
Command Example
!aws-iam-list-policy-versions policyArn=arn:aws:iam::123456789:policy/test-policy
Context Example
Human Readable Output
38. Get information for a policy version
Retrieves information about the specified version of the specified managed policy, including the policy document.
Base Command
aws-iam-get-policy-version
Input
| Argument Name | Description | Required |
|---|---|---|
| policyArn | The Amazon Resource Name (ARN) of the managed policy that you want information about | Required |
| versionId | Identifies the policy version to retrieve | Required |
| roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
| roleSessionName | An identifier for the assumed role session | Optional |
| roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
Context Output
| Path | Description |
|---|---|
| AWS.IAM.Policies.Versions.Document | The policy document |
| AWS.IAM.Policies.Versions.VersionId | The identifier for the policy version |
| AWS.IAM.Policies.Versions.IsDefaultVersion | Specifies whether the policy version is set as the policy's default version |
| AWS.IAM.Policies.Versions.CreateDate | Date and time the policy version was created, in ISO 8601 date-time format |
Command Example
!aws-iam-get-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy versionId=v3
Context Example
Human Readable Output
39. Set a default (operative) policy version
Sets the specified version of the specified policy as the policy's default (operative) version. This operation affects all users, groups, and roles that the policy is attached to.
Base Command
aws-iam-set-default-policy-version
Input
| Argument Name | Description | Required |
|---|---|---|
| policyArn | The Amazon Resource Name (ARN) of the IAM policy whose default version you want to set | Required |
| versionId | The version of the policy to set as the default (operative) version | Required |
| roleArn | The Amazon Resource Name (ARN) of the role to assume | Optional |
| roleSessionName | An identifier for the assumed role session | Optional |
| roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role | Optional |
Context Output
There is no context output for this command.
Command Example
!aws-iam-set-default-policy-version policyArn=arn:aws:iam::123456789:policy/test-policy versionId=v2
Human Readable Output
40. Create an account alias
Creates an alias for your AWS account.
Base Command
aws-iam-create-account-alias
Input
| Argument Name | Description | Required |
|---|---|---|
| accountAlias | The account alias to create | Required |
| roleArn | The Amazon Resource Name (ARN) of the role to assume | Optional |
| roleSessionName | An identifier for the assumed role session | Optional |
| roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role | Optional |
Context Output
There is no context output for this command.
Command Example
!aws-iam-create-account-alias accountAlias=test-alias
Human Readable Output
41. Delete an account alias
Deletes the specified AWS account alias.
Base Command
aws-iam-delete-account-alias
Input
| Argument Name | Description | Required |
|---|---|---|
| accountAlias | The name of the account alias to delete | Required |
| roleArn | The Amazon Resource Name (ARN) of the role to assume | Optional |
| roleSessionName | An identifier for the assumed role session | Optional |
| roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role | Optional |
Context Output
There is no context output for this command.
Command Example
!aws-iam-delete-account-alias accountAlias=demisto-test-alias
Human Readable Output
