2 Answers
- Newest
- Most votes
- Most comments
1
Based on the information provided, it seems that the AWSServiceRoleForConfig role already has the necessary permissions to perform these actions, as evident from the AWSConfigServiceRolePolicy attached to the role.
Here are a few things you can try to troubleshoot and resolve this issue:
Check the Trust Policy of the AWSServiceRoleForConfig Role:
Verify that the trust policy of the AWSServiceRoleForConfig role allows the "config.amazonaws.com" service to assume the role.
You can do this by navigating to the IAM console, finding the AWSServiceRoleForConfig role, and reviewing the "Trust relationships" tab.
Ensure that the trust policy includes a statement similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Verify the Permissions Boundary (if applicable):
Check if the AWSServiceRoleForConfig role has a permissions boundary attached to it.
Permissions boundaries can restrict the permissions of a role, even if the attached policies provide the necessary permissions.
Ensure that the permissions boundary, if present, does not inadvertently deny the access to the Inspector and Macie APIs.
Check for Conditional Policies or Resource-based Policies:
Inspect any conditional policies or resource-based policies that might be applied to the AWSServiceRoleForConfig role or the resources being accessed (Inspector and Macie).
These policies could potentially restrict the role's access, even if the AWSConfigServiceRolePolicy appears to be correct.
Verify the AWS Config Configuration:
Ensure that the AWS Config service is properly configured and has the necessary permissions to access the Inspector and Macie services.
Review the AWS Config settings, including the AWS Config delivery channel, logging, and any custom configurations.
Perform a Policy Simulation:
Use the IAM Policy Simulator tool to simulate the permissions of the AWSServiceRoleForConfig role and verify that it can successfully perform the "GetDelegatedAdminAccount" and "GetMacieSession" actions.
This can help identify any potential gaps or conflicts in the permissions.
Check for Service-Specific Permissions:
Ensure that the AWSServiceRoleForConfig role has the necessary permissions specific to the Inspector and Macie services.
Review the documentation for these services and ensure that the role has the required permissions.
answered 2 months ago
0
Thank you, Roy and Gary Mclean.
I tried policy simluator using https://policysim.aws.amazon.com/home/index.jsp?#roles/AWSServiceRoleForConfig and found that permissions to, say, Inspector2's GetDelegatedAdminAccount was allowed for AWSServiceRoleForConfig.
I couldn't find any permission boundaries. I'm still looking.
answered 2 months ago
Relevant content
- Accepted Answerasked a year ago
- asked 2 years ago
- asked 8 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 20 years ago
- AWS OFFICIALUpdated 4 months ago
Look for any Policies which deny this access. I checked our config and its able to preform GetDelegatedAdminAccount in any account