AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
Not able to exclude the resources from one trusted advisor finding
Hi Team, i have been working on TA and there is one finding in security IAM access analyzer external Access, i want to exclude to check this for other regions but i am not able to exclude it and that option is grayed out. dont understand why it is like that, i did checked and it is not linked from security hub.
though its refresh is not able and saying it is updated a day ago. and not able to refresh it manually please help me with possible reasons of this and and how can i exclude the regions from flagging
- Language
- English
- Newest
- Most votes
- Most comments
There are a few potential reasons why you're unable to exclude resources from the IAM external access finding in AWS Trusted Advisor:
-
Refresh limitations: Trusted Advisor findings, especially those related to security, may have specific refresh intervals. If the finding shows it was updated a day ago and you can't manually refresh it, this is likely due to the predetermined refresh schedule for that particular check. Security-related findings often have automated, periodic updates rather than on-demand refreshes.
-
Security Hub integration: Although you mentioned checking that it's not linked from Security Hub, it's worth double-checking this. If the finding is indeed coming from Security Hub, you cannot exclude resources directly from Trusted Advisor. Exclusions for Security Hub findings must be managed within Security Hub itself.
-
Check type: Some Trusted Advisor checks, particularly those related to security, may not allow exclusions due to their critical nature. The IAM external access check could fall into this category, which would explain why the exclusion option is grayed out.
-
Permission issues: Ensure that you have the necessary permissions to manage Trusted Advisor exclusions. This typically requires Business, Enterprise On-Ramp, or Enterprise Support plans and the appropriate IAM permissions.
-
Regional considerations: For IAM-related checks, which are typically global services, excluding specific regions may not be applicable. This could be why you're unable to exclude certain regions from the check.
To address your specific concern about excluding checks for other regions, you may need to approach this differently:
- Review the IAM policies and roles to ensure they're properly scoped to the intended regions.
- If the check is coming from Security Hub, you'll need to manage suppressions there instead of in Trusted Advisor.
- Consider using AWS Organizations and Service Control Policies (SCPs) to limit IAM actions in specific regions if that aligns with your security requirements.
If you still need to exclude resources and the option remains unavailable, you may want to contact AWS Support for further assistance, especially if you have a Business or Enterprise support plan. They can provide more specific guidance based on your account's configuration and the exact nature of the finding.
Sources
How to exclude resources from AWS Trusted Advisor reports using Trusted Advisor API | AWS re:Post
AWS Trusted Advisor now supports API to exclude resources
Viewing AWS Security Hub controls in AWS Trusted Advisor - AWS Support
Relevant content
- asked 4 years ago
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
