DescribeFrameworkByUUID permission missing on service-linked role AWSServiceRoleForBackupReports

0

This is causing CloudTrail to log many access denied attempts, triggering an alarm:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxxxxxxxxxxxxxxxxx:StorageDescribeFrameworkUUID",
        "arn": "arn:aws:sts::xxxxxxxxxxxxxxxxxxx:assumed-role/AWSServiceRoleForBackupReports/StorageDescribeFrameworkUUID",
        "accountId": "xxxxxxxxxxxxxxxxxxx",
        "accessKeyId": "xxxxxxxxxxxxxxxxxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxxxxxxxxxxxxxxxxx",
                "arn": "arn:aws:iam::xxxxxxxxxxxxxxxxxxx:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports",
                "accountId": "xxxxxxxxxxxxxxxxxxx",
                "userName": "AWSServiceRoleForBackupReports"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-09-28T08:56:37Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "reports.backup.amazonaws.com"
    },
    "eventTime": "2022-09-28T08:56:37Z",
    "eventSource": "backup.amazonaws.com",
    "eventName": "DescribeFrameworkByUUID",
    "awsRegion": "ca-central-1",
    "sourceIPAddress": "reports.backup.amazonaws.com",
    "userAgent": "reports.backup.amazonaws.com",
    "errorCode": "AccessDenied",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "xxxxxxxxxxxxxxxxxxx",
    "eventID": xxxxxxxxxxxxxxxxxxx",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "xxxxxxxxxxxxxxxxxxx",
    "eventCategory": "Management"
}

It is impossible to delete the role:

Errors during deleting roles.
Role AWSServiceRoleForBackupReports not deleted.
There are resources that rely on this role.

And it is not possible to add custom permissions to the service-linked role. It does not seem to be possible to configure a custom role for the backup reports either.

What can I do ?

Daniel
asked 2 years ago192 views
1 Answer
2
Accepted Answer
The AWS Backup team investigated this issue where you were seeing Access Denied errors in your CloudTrail logs. This happened because they added an internal API, DescribeFrameworkByUUID, that is used by the Backup Audit Manager, to CloudTrail by mistake. 

No action is needed to be done from customer end. A fix was rolled out, after which point you would not have seen this API and corresponding error in your CloudTrail logs.

AWS
SUPPORT ENGINEER
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions