使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Amazon Inspector - IAM Policy error

0

We have Amazon Inspector scanning whole AWS Account. Amazon Inspector uses service linked role and policy which we cannot edit and link it with Amazon Inspector. While Amazon Inspector is scanning the account, we are seeing below error in CloudTrail logs which triggers alarms configured on the CloudTrail.

User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AWSServiceRoleForAmazonInspector2/MandoService-XXXXXXXX is not authorized to perform: elasticloadbalancing:DescribeTargetGroupAttributes because no identity-based policy allows the elasticloadbalancing:DescribeTargetGroupAttributes action

We have verified the IAM Policy attached with "AWSServiceRoleForAmazonInspector2" and it does not have permission "elasticloadbalancing:DescribeTargetGroupAttributes". Is there anyway to configure Amazon Inspector with service linked role with elasticloadbalancing:DescribeTargetGroupAttributes permission?

We have reached to Amazon Support, but they are redirecting to business/enterprise support. It seems Amazon Inspector Policy issue, but not sure how to get resolution from AWS for the same.

主題
安全性、身分識別與合規
標籤
安全性、身分識別與合規AWS Identity and Access ManagementAmazon InspectorIAM 政策
語言
English
Amit
已提問 9 個月前檢視次數 316 次
2 個答案
1

Amazon Inspector uses the service-linked role named AWSServiceRoleForAmazonInspector2. This service-linked role trusts the inspector2.amazonaws.com service to assume the role.

The permissions policy for the role, which is named AmazonInspector2ServiceRolePolicy, allows Amazon Inspector to perform several tasks, such us using select Elastic Load Balancing actions to preform network scans of EC2 instances that are part of Elastic Load Balancing target groups.

The role configured must include the following permissions policy.

 "Sid": "TirosPolicy",
  	"Effect": "Allow",
  	"Action": [
  		
  		"elasticloadbalancing:DescribeListeners",
  		"elasticloadbalancing:DescribeLoadBalancerAttributes",
  		"elasticloadbalancing:DescribeLoadBalancers",
  		"elasticloadbalancing:DescribeRules",
  		"elasticloadbalancing:DescribeTags",
  		"elasticloadbalancing:DescribeTargetGroups",
  		"elasticloadbalancing:DescribeTargetGroupAttributes",
  		"elasticloadbalancing:DescribeTargetHealth",

[REFERENCES]

profile pictureAWS
BeeJay-Mobolaji_Oke
已回答 9 個月前
profile pictureAWS
專家
Didier_Durand
已審閱 9 個月前
0
已接受的答案

Thanks for your help. Linked IAM Policy "AmazonInspector2ServiceRolePolicy" magically updated yesterday to Version 11 and has this permission. We will monitor CloudTrail logs for any further errors.

Amit
已回答 9 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容