Amazon Inspector - IAM Policy error

Question

We have Amazon Inspector scanning whole AWS Account. Amazon Inspector uses service linked role and policy which we cannot edit and link it with Amazon Inspector. While Amazon Inspector is scanning the account, we are seeing below error in CloudTrail logs which triggers alarms configured on the CloudTrail.

User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AWSServiceRoleForAmazonInspector2/MandoService-XXXXXXXX is not authorized to perform: elasticloadbalancing:DescribeTargetGroupAttributes because no identity-based policy allows the elasticloadbalancing:DescribeTargetGroupAttributes action

We have verified the IAM Policy attached with "AWSServiceRoleForAmazonInspector2" and it does not have permission "elasticloadbalancing:DescribeTargetGroupAttributes". Is there anyway to configure Amazon Inspector with service linked role with elasticloadbalancing:DescribeTargetGroupAttributes  permission?

We have reached to Amazon Support, but they are redirecting to business/enterprise support. It seems Amazon Inspector Policy issue, but not sure how to get resolution from AWS for the same.

Accepted Answer

Thanks for your help. Linked IAM Policy "AmazonInspector2ServiceRolePolicy" magically updated yesterday to Version 11 and has this permission. We will monitor CloudTrail logs for any further errors.

Answer

Amazon Inspector uses the service-linked role named AWSServiceRoleForAmazonInspector2. This service-linked role trusts the inspector2.amazonaws.com service to assume the role.

The permissions policy for the role, which is named AmazonInspector2ServiceRolePolicy, allows Amazon Inspector to perform several tasks, such us using select Elastic Load Balancing actions to preform network scans of EC2 instances that are part of Elastic Load Balancing target groups.

The role  configured must include the following permissions policy.

>      "Sid": "TirosPolicy",
>			"Effect": "Allow",
>			"Action": [
>				
>				"elasticloadbalancing:DescribeListeners",
>				"elasticloadbalancing:DescribeLoadBalancerAttributes",
>				"elasticloadbalancing:DescribeLoadBalancers",
>				"elasticloadbalancing:DescribeRules",
>				"elasticloadbalancing:DescribeTags",
>				"elasticloadbalancing:DescribeTargetGroups",
>				"elasticloadbalancing:DescribeTargetGroupAttributes",
>				"elasticloadbalancing:DescribeTargetHealth",

*[REFERENCES]*

* [Service-linked role permissions for Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/using-service-linked-roles.html)
* [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions)

Amazon Inspector - IAM Policy error

관련 콘텐츠