DescribeFrameworkByUUID permission missing on service-linked role AWSServiceRoleForBackupReports

0

This is causing CloudTrail to log many access denied attempts, triggering an alarm:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxxxxxxxxxxxxxxxxx:StorageDescribeFrameworkUUID",
        "arn": "arn:aws:sts::xxxxxxxxxxxxxxxxxxx:assumed-role/AWSServiceRoleForBackupReports/StorageDescribeFrameworkUUID",
        "accountId": "xxxxxxxxxxxxxxxxxxx",
        "accessKeyId": "xxxxxxxxxxxxxxxxxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxxxxxxxxxxxxxxxxx",
                "arn": "arn:aws:iam::xxxxxxxxxxxxxxxxxxx:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports",
                "accountId": "xxxxxxxxxxxxxxxxxxx",
                "userName": "AWSServiceRoleForBackupReports"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-09-28T08:56:37Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "reports.backup.amazonaws.com"
    },
    "eventTime": "2022-09-28T08:56:37Z",
    "eventSource": "backup.amazonaws.com",
    "eventName": "DescribeFrameworkByUUID",
    "awsRegion": "ca-central-1",
    "sourceIPAddress": "reports.backup.amazonaws.com",
    "userAgent": "reports.backup.amazonaws.com",
    "errorCode": "AccessDenied",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "xxxxxxxxxxxxxxxxxxx",
    "eventID": xxxxxxxxxxxxxxxxxxx",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "xxxxxxxxxxxxxxxxxxx",
    "eventCategory": "Management"
}

It is impossible to delete the role:

Errors during deleting roles.
Role AWSServiceRoleForBackupReports not deleted.
There are resources that rely on this role.

And it is not possible to add custom permissions to the service-linked role. It does not seem to be possible to configure a custom role for the backup reports either.

What can I do ?

Daniel
asked 2 months ago24 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions