By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

ResourceOwnerCheckException Error in firewall updating Delete protection, so cannot remove firewall

0

I use AWS CLI -- "aws network-firewall update-firewall-delete-protection --firewall-name FMManagedNetworkFirewallfirewallXXXXXXXXXXXXXXXX --no-delete-protection", i get this error "An error occurred (ResourceOwnerCheckException) when calling the UpdateFirewallDeleteProtection operation: Requested resource owner is invalid."

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Network FirewallAWS Command Line Interface
Language
English
yan-Avaron
asked a year ago281 views
4 Answers
0

hi Asisipho,

Thank you your response. I have read and follow your provided links. However, i find they are general guides how to use the CLI command for firewall which same to my posted command, those links only tell us this is a error for "Unable to change the resource because your account doesn't own it", but do not cover a solution for this error.

So, i am still getting stuck in this error.

P.S. my account is "management account" and all firewall settings were performed by this same account.

yan-Avaron
answered a year ago
  • Asisipho
    a year ago

    I have acknowledged that you were doing this operation using a management account, which lead to me assuming that you were talking about firewall manager account. Because if this is the firewall manager account, customer cannot perform activity on the network-firewall that was created on child account by using firewall manager master account, but the account that actually owns the resource.

    As a workaround:

    You can update the network-firewall policy that was created via firewall manager with PutPolicy https://docs.aws.amazon.com/cli/latest/reference/fms/put-policy.html, firewall can be created with any proprieties of your choice, or you need to assume the child account that has the firewall, and make the changes from that side.

  • yan-Avaron
    a year ago

    hi Asisipho,

    I am mess for account role(s) from your answer, we setup one account in AWS which is management account, we did all the setting by this one account only.

    1. However, for my understanding of your answer, it seems many account roles: firewall manager account, child account, etc.
    2. "customer cannot perform activity on the network-firewall", I cannot understand the meaning of "customer", we only have one account to setup all setting. For our point of view of what is customer, they use our System running in ubuntu Linux OS - VM Instance setup - all data go through this firewall. So they do not need to modify the setting of firewall. I guess your meaning of "customer" who have lower permission power under firewall-manager (your meaning of child account). I would like to declare clearly, we only apply one account as "management account", i guess including the power as firewall-manager.

    So, i still in the situation as the system said i have no power for the resource in changing the firewall protection flag.

0

Hi,

I understand that you want to UpdateFirewallDeleteProtection and you are encountering an error “ResourceOwnerCheckException”.

This is due to making a request on resources that your account does not own. Please find the attached document [1] for more information on this error.

To complete this operation on an account that owns the resources please do refer to attached document[1][2].

I have attached a third party documentation[3] that you can look into to list the firewalls on your resources and be able to perform the UpdateFirewallDeleteProtection operation on.

I hope this helps

Resources:-

[1] https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_UpdateFirewallDeleteProtection.html

[2] https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-firewall-delete-protection.html

[3] https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/NetworkFirewall/enable-deletion-protection.html

Asisipho
answered a year ago
0

hi,

Finally got the solution from AWS,

  1. go to AWS Firewall Manager at: https://us-east-1.console.aws.amazon.com/wafv2/homev2
  2. Select any active resources, and choose Actions > Delete. I delete to delete "Firewall Manager" before delete Firewall. Their error message does not clearly show me this error during delete Firewall.

Finally, AWS guys let me to wait a few days to return back this solution to me, and pointed me some wrong direction to test during these few days. It seems they also do not so familiar to their system.

yan-Avaron
answered a year ago
0

  • Warm Greetings Everyone!* I am having a similar situation with my account . I am unable to delete my Network Firewall , Network Interface, VPC, Endpoints . When trying to delete Network Firewall, this is the error received : 1 * For Firewall : " Cannot DeleteFirewall because at least one of the firewall endpoints are missing the AWSNetworkFirewallManaged:true tag: [vpce-00957b459fe0dec1b] " 2 For endpoints: "vpce-00957b459fe0dec1b - Operation is not allowed for requester-managed VPC endpoints for the service com.amazonaws.vpce.us-east-2.vpce-svc-0f427de517c75a430." 3 * Network Interface: "Network interface is currently in use by ela-attach-xxxxxxxxxxxx"

  • Kindly note that i have released all elastic IPs, NAT, Internet Gateway. I need your assistance please because the bill for Network interface keeps increasing for a service i don't use.

rePost-User-4193731
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content