By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Amazon Inspector - IAM Policy error

0

We have Amazon Inspector scanning whole AWS Account. Amazon Inspector uses service linked role and policy which we cannot edit and link it with Amazon Inspector. While Amazon Inspector is scanning the account, we are seeing below error in CloudTrail logs which triggers alarms configured on the CloudTrail.

User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AWSServiceRoleForAmazonInspector2/MandoService-XXXXXXXX is not authorized to perform: elasticloadbalancing:DescribeTargetGroupAttributes because no identity-based policy allows the elasticloadbalancing:DescribeTargetGroupAttributes action

We have verified the IAM Policy attached with "AWSServiceRoleForAmazonInspector2" and it does not have permission "elasticloadbalancing:DescribeTargetGroupAttributes". Is there anyway to configure Amazon Inspector with service linked role with elasticloadbalancing:DescribeTargetGroupAttributes permission?

We have reached to Amazon Support, but they are redirecting to business/enterprise support. It seems Amazon Inspector Policy issue, but not sure how to get resolution from AWS for the same.

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAmazon InspectorIAM Policies
Language
English
Amit
asked 8 months ago286 views
2 Answers
1

Amazon Inspector uses the service-linked role named AWSServiceRoleForAmazonInspector2. This service-linked role trusts the inspector2.amazonaws.com service to assume the role.

The permissions policy for the role, which is named AmazonInspector2ServiceRolePolicy, allows Amazon Inspector to perform several tasks, such us using select Elastic Load Balancing actions to preform network scans of EC2 instances that are part of Elastic Load Balancing target groups.

The role configured must include the following permissions policy.

 "Sid": "TirosPolicy",
  	"Effect": "Allow",
  	"Action": [
  		
  		"elasticloadbalancing:DescribeListeners",
  		"elasticloadbalancing:DescribeLoadBalancerAttributes",
  		"elasticloadbalancing:DescribeLoadBalancers",
  		"elasticloadbalancing:DescribeRules",
  		"elasticloadbalancing:DescribeTags",
  		"elasticloadbalancing:DescribeTargetGroups",
  		"elasticloadbalancing:DescribeTargetGroupAttributes",
  		"elasticloadbalancing:DescribeTargetHealth",

[REFERENCES]

profile pictureAWS
BeeJay-Mobolaji_Oke
answered 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
0
Accepted Answer

Thanks for your help. Linked IAM Policy "AmazonInspector2ServiceRolePolicy" magically updated yesterday to Version 11 and has this permission. We will monitor CloudTrail logs for any further errors.

Amit
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content