Security Lake issue
0
Hello I'm trying to enable a security lake but I faced this error for all regions: “software.amazon.awssdk.services.lambda.model.InvalidParameterValueException: The provided execution role does not have permissions to call ReceiveMessage on SQS (Service: Lambda, Status Code: 400, Request ID: 3c91cd12-70e0-4ca7-a66b-1910c44d82ab)”
Any helpful advice? Thank in advance
1 Answer
- Newest
- Most votes
- Most comments
0
Hello.
It seems that Security Lake's IAM role requires the following IAM policy, but is it set?
https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html#prerequisites
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowWriteLambdaLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:{{accountId}}:log-group:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
]
},
{
"Sid": "AllowCreateAwsCloudWatchLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:*:{{accountId}}:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
]
},
{
"Sid": "AllowGlueManage",
"Effect": "Allow",
"Action": [
"glue:CreatePartition",
"glue:BatchCreatePartition"
],
"Resource": [
"arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
"arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
"arn:aws:glue:*:*:catalog"
]
},
{
"Sid": "AllowToReadFromSqs",
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:*:{{accountId}}:SecurityLake*"
]
}
]
}
Relevant content
- asked 6 months ago
- asked 4 months ago
AWS OFFICIALUpdated 3 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
