En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

DescribeFrameworkByUUID permission missing on service-linked role AWSServiceRoleForBackupReports

0

This is causing CloudTrail to log many access denied attempts, triggering an alarm:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxxxxxxxxxxxxxxxxx:StorageDescribeFrameworkUUID",
        "arn": "arn:aws:sts::xxxxxxxxxxxxxxxxxxx:assumed-role/AWSServiceRoleForBackupReports/StorageDescribeFrameworkUUID",
        "accountId": "xxxxxxxxxxxxxxxxxxx",
        "accessKeyId": "xxxxxxxxxxxxxxxxxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxxxxxxxxxxxxxxxxx",
                "arn": "arn:aws:iam::xxxxxxxxxxxxxxxxxxx:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports",
                "accountId": "xxxxxxxxxxxxxxxxxxx",
                "userName": "AWSServiceRoleForBackupReports"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-09-28T08:56:37Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "reports.backup.amazonaws.com"
    },
    "eventTime": "2022-09-28T08:56:37Z",
    "eventSource": "backup.amazonaws.com",
    "eventName": "DescribeFrameworkByUUID",
    "awsRegion": "ca-central-1",
    "sourceIPAddress": "reports.backup.amazonaws.com",
    "userAgent": "reports.backup.amazonaws.com",
    "errorCode": "AccessDenied",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "xxxxxxxxxxxxxxxxxxx",
    "eventID": xxxxxxxxxxxxxxxxxxx",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "xxxxxxxxxxxxxxxxxxx",
    "eventCategory": "Management"
}

It is impossible to delete the role:

Errors during deleting roles.
Role AWSServiceRoleForBackupReports not deleted.
There are resources that rely on this role.

And it is not possible to add custom permissions to the service-linked role. It does not seem to be possible to configure a custom role for the backup reports either.

What can I do ?

Sujets
Sécurité, identité et conformitéStockage
Balises
Gestion des identités et des accès AWSAWS Backup
Langue
English
Daniel
demandé il y a 2 ans201 vues
1 réponse
2
Réponse acceptée
The AWS Backup team investigated this issue where you were seeing Access Denied errors in your CloudTrail logs. This happened because they added an internal API, DescribeFrameworkByUUID, that is used by the Backup Audit Manager, to CloudTrail by mistake. 

No action is needed to be done from customer end. A fix was rolled out, after which point you would not have seen this API and corresponding error in your CloudTrail logs.
AWS
INGÉNIEUR EN ASSISTANCE TECHNIQUE
Shaguna_A
répondu il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents