Amazon Inspector Public Bucket Access Denied


We have an 'unauthorised API call' alarm that is being tripped by Amazon Inspector. It's attempting to download from an AWS Public Bucket. Here is a snippet of the Cloudwatch log:-

    "eventSource": "",
    "eventName": "GetObject",
    "awsRegion": "ap-southeast-2",
    "sourceIPAddress": "Redacted IP Address",
    "userAgent": "[aws-sdk-go/1.44.78 (go1.18.3; windows; amd64) amazon-ssm-agent/]",
    "errorCode": "AccessDenied",
    "errorMessage": "Access Denied",
    "requestParameters": {
        "bucketName": "aws-ssm-document-attachments-ap-southeast-2",
        "Host": "",
        "key": "e89/810622359321/AmazonInspector2-InspectorSsmPlugin!d6f98620-d464-4b63-ab7c-e10b41c673c6/20/"

We've setup an Instance role and attached permissions policy as specified here:-

In fact, I added GetBucket* and ListBuckets at the Bucket level as well just in case that was the issue.

When I look in Systems Manager, Fleet Manager it showed failures invoking AmazonInspector2-ConfigureInspectorSsmPlugin and AmazonInspector2-InvokeInspectorSsmPlugin for the instance in question.

AmazonInspector2-ConfigureInspectorSsmPlugin and AmazonInspector2-InvokeInspectorSsmPlugin Failure

We are getting quite a few of these 'Access Denied' errors, but I have allocated the listed permissions. I also checked that my VPC Endpoint Policy does not restrict access.

The only issue might be there is a Service Control Policy that is denying access. Has anybody got any other insights as to what might be causing this?

2 Answers

Try the Policy Simulator on the role. In the console, find the role, click on the Simulate button and then set up the simulator for the GetObject and set the Object key. This may tell you what is blocking access or at least eliminate some policies.

profile pictureAWS
answered 2 years ago
  • Thanks for your answer. Unfortunately I tried that and the policy is allowed on both the Bucket and the Resource.

    What was interesting though was my executing the policy simulator triggered the Access Denied alarm for 'GetBucketPolicy ' using my own user but when I checked the results, I have 'Allow' permissions.


Hello, I just came accross this issue too, I did some digging on the AWS Systems Manager > Run Command to see more details about it and it is saying wrong Platform.

Upon researching for the Document I noticed that there are multiple Documents for different Platform, so it could be that.

"AmazonInspector2-InvokeInspectorSsmPlugin" -> Windows Platform "AmazonInspector2-InvokeInspectorSsmPluginLinux" -> Linux Platform

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions