Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

DescribeFrameworkByUUID permission missing on service-linked role AWSServiceRoleForBackupReports

0

This is causing CloudTrail to log many access denied attempts, triggering an alarm:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxxxxxxxxxxxxxxxxx:StorageDescribeFrameworkUUID",
        "arn": "arn:aws:sts::xxxxxxxxxxxxxxxxxxx:assumed-role/AWSServiceRoleForBackupReports/StorageDescribeFrameworkUUID",
        "accountId": "xxxxxxxxxxxxxxxxxxx",
        "accessKeyId": "xxxxxxxxxxxxxxxxxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxxxxxxxxxxxxxxxxx",
                "arn": "arn:aws:iam::xxxxxxxxxxxxxxxxxxx:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports",
                "accountId": "xxxxxxxxxxxxxxxxxxx",
                "userName": "AWSServiceRoleForBackupReports"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-09-28T08:56:37Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "reports.backup.amazonaws.com"
    },
    "eventTime": "2022-09-28T08:56:37Z",
    "eventSource": "backup.amazonaws.com",
    "eventName": "DescribeFrameworkByUUID",
    "awsRegion": "ca-central-1",
    "sourceIPAddress": "reports.backup.amazonaws.com",
    "userAgent": "reports.backup.amazonaws.com",
    "errorCode": "AccessDenied",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "xxxxxxxxxxxxxxxxxxx",
    "eventID": xxxxxxxxxxxxxxxxxxx",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "xxxxxxxxxxxxxxxxxxx",
    "eventCategory": "Management"
}

It is impossible to delete the role:

Errors during deleting roles.
Role AWSServiceRoleForBackupReports not deleted.
There are resources that rely on this role.

And it is not possible to add custom permissions to the service-linked role. It does not seem to be possible to configure a custom role for the backup reports either.

What can I do ?

Temas
Seguridad, identidad y cumplimientoAlmacenamiento
Etiquetas
AWS Identity and Access ManagementAWS Backup
Idioma
English
Daniel
preguntada hace 2 años205 visualizaciones
1 Respuesta
2
Respuesta aceptada
The AWS Backup team investigated this issue where you were seeing Access Denied errors in your CloudTrail logs. This happened because they added an internal API, DescribeFrameworkByUUID, that is used by the Backup Audit Manager, to CloudTrail by mistake. 

No action is needed to be done from customer end. A fix was rolled out, after which point you would not have seen this API and corresponding error in your CloudTrail logs.
AWS
INGENIERO DE SOPORTE
Shaguna_A
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante