Bug - AmazonInspector2 requires elasticloadbalancing:DescribeTargetGroupAttributes action permission

Question

We are using AmazonInspector2 and noticed the following API call in CloudTrail which resulted in a deny:
```
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROA453PSMAZJ5WSYB4SU:MandoService-3390948485918408503",
        "arn": "arn:aws:sts:::assumed-role/AWSServiceRoleForAmazonInspector2/MandoService-3390948485918408503",
        "accountId": "",
        "accessKeyId": "",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROA453PSMAZJ5WSYB4SU",
                "arn": "arn:aws:iam:::role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2",
                "accountId": "",
                "userName": "AWSServiceRoleForAmazonInspector2"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-07-20T23:52:49Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "inspector2.amazonaws.com"
    },
    "eventTime": "2023-07-20T23:52:50Z",
    "eventSource": "elasticloadbalancing.amazonaws.com",
    "eventName": "DescribeTargetGroupAttributes",
    "awsRegion": "eu-central-1",
    "sourceIPAddress": "inspector2.amazonaws.com",
    "userAgent": "inspector2.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts:::assumed-role/AWSServiceRoleForAmazonInspector2/MandoService-3390948485918408503 is not authorized to perform: elasticloadbalancing:DescribeTargetGroupAttributes because no identity-based policy allows the elasticloadbalancing:DescribeTargetGroupAttributes action",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "64245e9f-ecf3-4921-92d2-e163fd6672ad",
    "eventID": "420a1a1f-0328-4a72-aa75-4c4d066db2ee",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "",
    "eventCategory": "Management"
}
```
I noticed that the action `elasticloadbalancing:DescribeTargetGroupAttributes` is not part of any IAM policy statement in the service-linked role `AWSServiceRoleForAmazonInspector2`.
Since we cannot change the role that Amazon Inspector uses, we cannot add the missing action to the policy. That's why I am posting this here as a bug report.

Answer

Hi Didier, thanks for the answer.

We do not have the required support plan on our account that would allow the creation of a technical case to report the bug.
That's why I am using other channels to create the report.
I also posted it via the AWS console feedback tool, which I believe is not the 100% correct way either.

I posted here based on the answer in repost.aws/questions/QUtZd267f4SSuyBkfNxQY1Cw/bug-report#ANuUOvPOMIQJ2-EIs4BblSdg

Answer

Hi,

thanks for reporting this but AWS service teams like the one of Amazon Inspector usually do not monitor re:Post for bug reports. They have to be opened in the AWS console of your account.

So,  please, go to https://support.console.aws.amazon.com/support/home?region=us-west-2#/case/create to create corresponding support case.
(adapt us-west-2 to you own region)

Best,

Didier

Answer

This is a pretty clear cut case: inspector does not let you create a custom role and the role it creates is lacking permissions.  Nothing a user can do can resolve this.

@Didier: this is still a bug on AWS side as of today.  I do not believe forcing paying-users to pay for a support plan in order to report AWS bugs is good business practice.

Bug - AmazonInspector2 requires elasticloadbalancing:DescribeTargetGroupAttributes action permission

Relevanter Inhalt