We have an 'unauthorised API call' alarm that is being tripped by Amazon Inspector.
It's attempting to download windows.zip from an AWS Public Bucket. Here is a snippet of the Cloudwatch log:-
"eventSource": "s3.amazonaws.com",
"eventName": "GetObject",
"awsRegion": "ap-southeast-2",
"sourceIPAddress": "Redacted IP Address",
"userAgent": "[aws-sdk-go/1.44.78 (go1.18.3; windows; amd64) amazon-ssm-agent/]",
"errorCode": "AccessDenied",
"errorMessage": "Access Denied",
"requestParameters": {
"bucketName": "aws-ssm-document-attachments-ap-southeast-2",
"Host": "aws-ssm-document-attachments-ap-southeast-2.s3.ap-southeast-2.amazonaws.com",
"key": "e89/810622359321/AmazonInspector2-InspectorSsmPlugin!d6f98620-d464-4b63-ab7c-e10b41c673c6/20/windows.zip"
},
We've setup an Instance role and attached permissions policy as specified here:-
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-minimum-s3-permissions.html
In fact, I added GetBucket* and ListBuckets at the Bucket level as well just in case that was the issue.
When I look in Systems Manager, Fleet Manager it showed failures invoking AmazonInspector2-ConfigureInspectorSsmPlugin and AmazonInspector2-InvokeInspectorSsmPlugin for the instance in question.
We are getting quite a few of these 'Access Denied' errors, but I have allocated the listed permissions. I also checked that my VPC Endpoint Policy does not restrict access.
The only issue might be there is a Service Control Policy that is denying access. Has anybody got any other insights as to what might be causing this?
Thanks for your answer. Unfortunately I tried that and the policy is allowed on both the Bucket and the Resource.
What was interesting though was my executing the policy simulator triggered the Access Denied alarm for 'GetBucketPolicy ' using my own user but when I checked the results, I have 'Allow' permissions.