Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CIS AWS] Multiple AssumeRole errors #2208

Open
orouz opened this issue May 16, 2024 · 2 comments
Open

[CIS AWS] Multiple AssumeRole errors #2208

orouz opened this issue May 16, 2024 · 2 comments
Labels
aws bug Something isn't working Team:Cloud Security Cloud Security team related
Milestone
8.18

Comments

@orouz
Copy link
Collaborator

orouz commented May 16, 2024

Describe the bug

noticed these errors in 8.14 BC4 (see https://github.com/elastic/security-team/issues/9427#issuecomment-2112533090)

 Error fetching AWS Config recorders: operation error Config Service: DescribeConfigurationRecorders, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: f08d1b32-c6ff-41f1-8357-07819eefa3ab, api error AccessDenied: User: arn:aws:sts::378890115541:assumed-role/cloudbeat-root/aws-go-sdk-1715607180126994429 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::049528901747:role/cloudbeat-securityaudit  

failed to describe config recorders: fail to retrieve aws resources for region: us-east-1, error: operation error Config Service: DescribeConfigurationRecorders, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: f08d1b32-c6ff-41f1-8357-07819eefa3ab, api error AccessDenied: User: arn:aws:sts::378890115541:assumed-role/cloudbeat-root/aws-go-sdk-1715607180126994429 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::049528901747:role/cloudbeat-securityaudit 

Unable to fetch IAM users, error: operation error IAM: ListUsers, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: f08d1b32-c6ff-41f1-8357-07819eefa3ab, api error AccessDenied: User: arn:aws:sts::378890115541:assumed-role/cloudbeat-root/aws-go-sdk-1715607180126994429 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::049528901747:role/cloudbeat-securityaudit 

failed to describe security hub: fail to retrieve aws resources for region: us-east-1, error: operation error SecurityHub: DescribeHub, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: f08d1b32-c6ff-41f1-8357-07819eefa3ab, api error AccessDenied: User: arn:aws:sts::378890115541:assumed-role/cloudbeat-root/aws-go-sdk-1715607180126994429 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::049528901747:role/cloudbeat-securityaudit 

failed to load some DB instances from rds: fail to retrieve aws resources for region: us-east-1, error: operation error RDS: DescribeDBInstances, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: e0be65f1-5148-4bfb-8b09-d1a5a6c65fbd, api error AccessDenied: User: arn:aws:sts::378890115541:assumed-role/cloudbeat-root/aws-go-sdk-1715607180126994429 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::049528901747:role/cloudbeat-securityaudit,  

failed to describe trails: operation error CloudTrail: DescribeTrails, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: e0be65f1-5148-4bfb-8b09-d1a5a6c65fbd, api error AccessDenied: User: arn:aws:sts::378890115541:assumed-role/cloudbeat-root/aws-go-sdk-1715607180126994429 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::049528901747:role/cloudbeat-securityaudit

Preconditions
Run CSPM AWS

To Reproduce
Write the exact actions one should perform in order to reproduce the bug.
Steps to reproduce the behavior:

Add CSPM AWS Integration
Search logs for AssumeRole

Expected behavior
No access denied errors
@orouz orouz added bug Something isn't working Team:Cloud Security Cloud Security team related aws labels May 16, 2024
@acorretti acorretti added this to the 8.18 milestone Dec 10, 2024
@kubasobon
Copy link
Member

My 2 cents. The errors are baked into our assumption about how we perform the scan. We use StackSets to create cloudbeat-securityaudit roles in accounts/OUs selected by the user. Cloudbeat is not aware of the roles' existence and simply tries to assume the role in every sub-account and OU, naively and best effort style. If the role exists (because the account was chosen and CF SubStacks created it), great the account is scanned. Otherwise we see the 403 error mentioned in this ticket and move on.

We could take a couple of different approaches:

  • simply silence the 403 errors, which I think is a bit risky
  • make Cloudbeat aware of the chosen accounts/OUs somehow, so that it can scan only the ones users picked
  • make Cloudbeat list all accounts, look-up roles, and then limit fetches only to the accounts where appropriate role exists

@kubasobon
Copy link
Member

Related (possible duplicate): #2331

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws bug Something isn't working Team:Cloud Security Cloud Security team related
Projects
None yet
Milestone
8.18
Development

No branches or pull requests
5 participants
@acorretti @kubasobon @orouz @oren-zohar @tehilashn