This is causing CloudTrail to log many access denied attempts, triggering an alarm:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "xxxxxxxxxxxxxxxxxxx:StorageDescribeFrameworkUUID",
"arn": "arn:aws:sts::xxxxxxxxxxxxxxxxxxx:assumed-role/AWSServiceRoleForBackupReports/StorageDescribeFrameworkUUID",
"accountId": "xxxxxxxxxxxxxxxxxxx",
"accessKeyId": "xxxxxxxxxxxxxxxxxxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "xxxxxxxxxxxxxxxxxxx",
"arn": "arn:aws:iam::xxxxxxxxxxxxxxxxxxx:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports",
"accountId": "xxxxxxxxxxxxxxxxxxx",
"userName": "AWSServiceRoleForBackupReports"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-09-28T08:56:37Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "reports.backup.amazonaws.com"
},
"eventTime": "2022-09-28T08:56:37Z",
"eventSource": "backup.amazonaws.com",
"eventName": "DescribeFrameworkByUUID",
"awsRegion": "ca-central-1",
"sourceIPAddress": "reports.backup.amazonaws.com",
"userAgent": "reports.backup.amazonaws.com",
"errorCode": "AccessDenied",
"requestParameters": null,
"responseElements": null,
"requestID": "xxxxxxxxxxxxxxxxxxx",
"eventID": xxxxxxxxxxxxxxxxxxx",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "xxxxxxxxxxxxxxxxxxx",
"eventCategory": "Management"
}
It is impossible to delete the role:
Errors during deleting roles.
Role AWSServiceRoleForBackupReports not deleted.
There are resources that rely on this role.
And it is not possible to add custom permissions to the service-linked role. It does not seem to be possible to configure a custom role for the backup reports either.
What can I do ?