By using AWS re:Post, you agree to the Terms of Use

ResourceOwnerCheckException Error in firewall updating Delete protection, so cannot remove firewall

0

I use AWS CLI -- "aws network-firewall update-firewall-delete-protection --firewall-name FMManagedNetworkFirewallfirewallXXXXXXXXXXXXXXXX --no-delete-protection", i get this error "An error occurred (ResourceOwnerCheckException) when calling the UpdateFirewallDeleteProtection operation: Requested resource owner is invalid."

3 Answers
0

hi Asisipho,

Thank you your response. I have read and follow your provided links. However, i find they are general guides how to use the CLI command for firewall which same to my posted command, those links only tell us this is a error for "Unable to change the resource because your account doesn't own it", but do not cover a solution for this error.

So, i am still getting stuck in this error.

P.S. my account is "management account" and all firewall settings were performed by this same account.

answered a month ago
  • I have acknowledged that you were doing this operation using a management account, which lead to me assuming that you were talking about firewall manager account. Because if this is the firewall manager account, customer cannot perform activity on the network-firewall that was created on child account by using firewall manager master account, but the account that actually owns the resource.

    As a workaround:

    You can update the network-firewall policy that was created via firewall manager with PutPolicy https://docs.aws.amazon.com/cli/latest/reference/fms/put-policy.html, firewall can be created with any proprieties of your choice, or you need to assume the child account that has the firewall, and make the changes from that side.

  • hi Asisipho,

    I am mess for account role(s) from your answer, we setup one account in AWS which is management account, we did all the setting by this one account only.

    1. However, for my understanding of your answer, it seems many account roles: firewall manager account, child account, etc.
    2. "customer cannot perform activity on the network-firewall", I cannot understand the meaning of "customer", we only have one account to setup all setting. For our point of view of what is customer, they use our System running in ubuntu Linux OS - VM Instance setup - all data go through this firewall. So they do not need to modify the setting of firewall.

    I guess your meaning of "customer" who have lower permission power under firewall-manager (your meaning of child account). I would like to declare clearly, we only apply one account as "management account", i guess including the power as firewall-manager.

    So, i still in the situation as the system said i have no power for the resource in changing the firewall protection flag.

0

Hi,

I understand that you want to UpdateFirewallDeleteProtection and you are encountering an error “ResourceOwnerCheckException”.

This is due to making a request on resources that your account does not own. Please find the attached document [1] for more information on this error.

To complete this operation on an account that owns the resources please do refer to attached document[1][2].

I have attached a third party documentation[3] that you can look into to list the firewalls on your resources and be able to perform the UpdateFirewallDeleteProtection operation on.

I hope this helps

Resources:-

[1] https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_UpdateFirewallDeleteProtection.html

[2] https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-firewall-delete-protection.html

[3] https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/NetworkFirewall/enable-deletion-protection.html

answered a month ago
0

hi,

Finally got the solution from AWS,

  1. go to AWS Firewall Manager at: https://us-east-1.console.aws.amazon.com/wafv2/homev2
  2. Select any active resources, and choose Actions > Delete.

I delete to delete "Firewall Manager" before delete Firewall. Their error message does not clearly show me this error during delete Firewall.

Finally, AWS guys let me to wait a few days to return back this solution to me, and pointed me some wrong direction to test during these few days. It seems they also do not so familiar to their system.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions