AWSServiceRoleForConfig assumed role cannot access services like Macie and Inspector

0

We are seeing several CloudWatch alarms like this where AWSServiceRoleForConfig is getting error code of Access Denied when trying to call GetDelegatedAdminAccount of inspector or GetMacieSession of macie.

{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAZsomething2:configLambdaExecution",
        "arn": "arn:aws:sts::12345:assumed-role/AWSServiceRoleForConfig/configLambdaExecution",
        "accountId": "12345",
        "accessKeyId": "ASIAsomething",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAsomething2",
                "arn": "arn:aws:iam::12345:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
                "accountId": "12345",
                "userName": "AWSServiceRoleForConfig"
            },
            "attributes": {
                "creationDate": "2024-10-02T00:29:51Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "config.amazonaws.com"
    },
    "eventTime": "2024-10-02T00:29:51Z",
    "eventSource": "inspector2.amazonaws.com",
    "eventName": "GetDelegatedAdminAccount",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "errorCode": "AccessDenied",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "aded13c1-9fa3-474c-84e1-a93a047c61b1",
    "eventID": "c22516b5-23b3-46de-95f5-1b100e6508ee",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "12345",
    "eventCategory": "Management"
}

I looked up a similar post https://repost.aws/questions/QU8ZC1xd9BQV2vnGkod7gQww/macie-not-enabled-means-false-positive-accessdeniedexceptions-in-cloudtrail but I cannot figure out what permission to set where to give AWS Config or AWSServiceRoleForConfig relevant access to inspector and macie.

AWS Configure uses AWSServiceRoleForConfig role, and this role has an associated policy called AWSConfigServiceRolePolicy. That policy already seems to give rights to call GetDelegatedAdminAccount of inspector or GetMacieSession of macie. I don't know what else I must do to resolve the Access Denied issue.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSConfigServiceRolePolicyStatementID",
            "Effect": "Allow",
            "Action": [
                "access-analyzer:GetAnalyzer",
                ...
                "inspector2:GetDelegatedAdminAccount",
                ...
                "macie2:GetMacieSession"
                ...
            ],
            "Resource": "*"
        },
        {
            "Sid": "AWSConfigSLRLogStatementID",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:CreateLogGroup"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/config/*"
        }
        ...
    ]
}

Does anyone have suggestions on what to try?

asked 2 months ago68 views
2 Answers
1

Based on the information provided, it seems that the AWSServiceRoleForConfig role already has the necessary permissions to perform these actions, as evident from the AWSConfigServiceRolePolicy attached to the role.

Here are a few things you can try to troubleshoot and resolve this issue:

Check the Trust Policy of the AWSServiceRoleForConfig Role:
    Verify that the trust policy of the AWSServiceRoleForConfig role allows the "config.amazonaws.com" service to assume the role.
    You can do this by navigating to the IAM console, finding the AWSServiceRoleForConfig role, and reviewing the "Trust relationships" tab.
    Ensure that the trust policy includes a statement similar to the following:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "config.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }

Verify the Permissions Boundary (if applicable):
    Check if the AWSServiceRoleForConfig role has a permissions boundary attached to it.
    Permissions boundaries can restrict the permissions of a role, even if the attached policies provide the necessary permissions.
    Ensure that the permissions boundary, if present, does not inadvertently deny the access to the Inspector and Macie APIs.

Check for Conditional Policies or Resource-based Policies:
    Inspect any conditional policies or resource-based policies that might be applied to the AWSServiceRoleForConfig role or the resources being accessed (Inspector and Macie).
    These policies could potentially restrict the role's access, even if the AWSConfigServiceRolePolicy appears to be correct.

Verify the AWS Config Configuration:
    Ensure that the AWS Config service is properly configured and has the necessary permissions to access the Inspector and Macie services.
    Review the AWS Config settings, including the AWS Config delivery channel, logging, and any custom configurations.

Perform a Policy Simulation:
    Use the IAM Policy Simulator tool to simulate the permissions of the AWSServiceRoleForConfig role and verify that it can successfully perform the "GetDelegatedAdminAccount" and "GetMacieSession" actions.
    This can help identify any potential gaps or conflicts in the permissions.

Check for Service-Specific Permissions:
    Ensure that the AWSServiceRoleForConfig role has the necessary permissions specific to the Inspector and Macie services.
    Review the documentation for these services and ensure that the role has the required permissions.
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Look for any Policies which deny this access. I checked our config and its able to preform GetDelegatedAdminAccount in any account

0

Thank you, Roy and Gary Mclean.

I tried policy simluator using https://policysim.aws.amazon.com/home/index.jsp?#roles/AWSServiceRoleForConfig and found that permissions to, say, Inspector2's GetDelegatedAdminAccount was allowed for AWSServiceRoleForConfig.

Simulation

I couldn't find any permission boundaries. I'm still looking.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions