By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS Identity and Access Management

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

DescribeFrameworkByUUID permission missing on service-linked role AWSServiceRoleForBackupReports

This is causing CloudTrail to log many access denied attempts, triggering an alarm: ```json { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxxxxxxxx:StorageDescribeFrameworkUUID", "arn": "arn:aws:sts::xxxxxxxxxxxxxxxxxxx:assumed-role/AWSServiceRoleForBackupReports/StorageDescribeFrameworkUUID", "accountId": "xxxxxxxxxxxxxxxxxxx", "accessKeyId": "xxxxxxxxxxxxxxxxxxx", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "xxxxxxxxxxxxxxxxxxx", "arn": "arn:aws:iam::xxxxxxxxxxxxxxxxxxx:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports", "accountId": "xxxxxxxxxxxxxxxxxxx", "userName": "AWSServiceRoleForBackupReports" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-09-28T08:56:37Z", "mfaAuthenticated": "false" } }, "invokedBy": "reports.backup.amazonaws.com" }, "eventTime": "2022-09-28T08:56:37Z", "eventSource": "backup.amazonaws.com", "eventName": "DescribeFrameworkByUUID", "awsRegion": "ca-central-1", "sourceIPAddress": "reports.backup.amazonaws.com", "userAgent": "reports.backup.amazonaws.com", "errorCode": "AccessDenied", "requestParameters": null, "responseElements": null, "requestID": "xxxxxxxxxxxxxxxxxxx", "eventID": xxxxxxxxxxxxxxxxxxx", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "xxxxxxxxxxxxxxxxxxx", "eventCategory": "Management" } ``` It is impossible to delete the role: ``` Errors during deleting roles. Role AWSServiceRoleForBackupReports not deleted. There are resources that rely on this role. ``` And it is not possible to add custom permissions to the service-linked role. It does not seem to be possible to configure a custom role for the backup reports either. What can I do ?
0
answers
0
votes
16
views
asked 2 days ago

Removed wrong IAM roles

I destroyed some IAM roles since they did not display a "last active" attribute. Now I cannot access my data properly. When I try to reset my auth settings, I cannot: ``` NoSuchEntity - An error occurred while processing your request: The role with name us-east-1_g9F10WnFw_Manage-only cannot be found. ``` I'm struggling to figure out what Roles to recreate what access to give them to access my amplify environment Not sure if this helps but here is my aws-export.js: ``` /* eslint-disable */ // WARNING: DO NOT EDIT. This file is automatically generated by AWS Amplify. It will be overwritten. const awsmobile = { "aws_project_region": "us-east-1", "aws_appsync_graphqlEndpoint": "https://iai3fj7vd5hgjc22z4m7kj5tn4.appsync-api.us-east-1.amazonaws.com/graphql", "aws_appsync_region": "us-east-1", "aws_appsync_authenticationType": "API_KEY", "aws_appsync_apiKey": "da2-****", "aws_cognito_identity_pool_id": "us-east-1:0afc5fb7-9bb5-45a0-ad98-50a9a38491c0", "aws_cognito_region": "us-east-1", "aws_user_pools_id": "us-east-1_eW3yGAOvZ", "aws_user_pools_web_client_id": "7al4qgvvsu8qkicdsqtl9n4stv", "oauth": {}, "aws_cognito_username_attributes": [ "EMAIL" ], "aws_cognito_social_providers": [], "aws_cognito_signup_attributes": [], "aws_cognito_mfa_configuration": "OFF", "aws_cognito_mfa_types": [ "SMS" ], "aws_cognito_password_protection_settings": { "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [ "REQUIRES_LOWERCASE", "REQUIRES_NUMBERS", "REQUIRES_SYMBOLS", "REQUIRES_UPPERCASE" ] }, "aws_cognito_verification_mechanisms": [ "EMAIL" ], "aws_user_files_s3_bucket": "gr-movement-storage-e48b8b36191308-staging", "aws_user_files_s3_bucket_region": "us-east-1" }; export default awsmobile; ```
1
answers
0
votes
19
views
asked 3 days ago