Amazon Inspector Public Bucket Access Denied

0

We have an 'unauthorised API call' alarm that is being tripped by Amazon Inspector. It's attempting to download windows.zip from an AWS Public Bucket. Here is a snippet of the Cloudwatch log:-

    "eventSource": "s3.amazonaws.com",
    "eventName": "GetObject",
    "awsRegion": "ap-southeast-2",
    "sourceIPAddress": "Redacted IP Address",
    "userAgent": "[aws-sdk-go/1.44.78 (go1.18.3; windows; amd64) amazon-ssm-agent/]",
    "errorCode": "AccessDenied",
    "errorMessage": "Access Denied",
    "requestParameters": {
        "bucketName": "aws-ssm-document-attachments-ap-southeast-2",
        "Host": "aws-ssm-document-attachments-ap-southeast-2.s3.ap-southeast-2.amazonaws.com",
        "key": "e89/810622359321/AmazonInspector2-InspectorSsmPlugin!d6f98620-d464-4b63-ab7c-e10b41c673c6/20/windows.zip"
    },

We've setup an Instance role and attached permissions policy as specified here:- https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-minimum-s3-permissions.html

In fact, I added GetBucket* and ListBuckets at the Bucket level as well just in case that was the issue.

When I look in Systems Manager, Fleet Manager it showed failures invoking AmazonInspector2-ConfigureInspectorSsmPlugin and AmazonInspector2-InvokeInspectorSsmPlugin for the instance in question.

AmazonInspector2-ConfigureInspectorSsmPlugin and AmazonInspector2-InvokeInspectorSsmPlugin Failure

We are getting quite a few of these 'Access Denied' errors, but I have allocated the listed permissions. I also checked that my VPC Endpoint Policy does not restrict access.

The only issue might be there is a Service Control Policy that is denying access. Has anybody got any other insights as to what might be causing this?

1 Answer
0

Try the Policy Simulator on the role. In the console, find the role, click on the Simulate button and then set up the simulator for the GetObject and set the Object key. This may tell you what is blocking access or at least eliminate some policies.

profile pictureAWS
EXPERT
kentrad
answered a year ago
  • Thanks for your answer. Unfortunately I tried that and the policy is allowed on both the Bucket and the Resource.

    What was interesting though was my executing the policy simulator triggered the Access Denied alarm for 'GetBucketPolicy ' using my own user but when I checked the results, I have 'Allow' permissions.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions