search cancel

Adding AWS cross account buckets fails in Cloud Workload Protection for Storage

book

Article ID: 202977

calendar_today

Updated On:

Products

Cloud Workload Protection for Storage

Issue/Introduction

You enable cross account support and add cross account buckets for scanning in Cloud Workload Protection for Storage. After adding the buckets, they either do not appear in the console or they appear but are not protected.

When you gather the blackbox logs and look at spe-s3-protection-controller-service.log, you see an error similar to the following:

2020-11-06 14:39:40,715 [Thread-5] INFO  ScheduleHandler:722 - Started Execution of function importArnListHandlling()
2020-11-06 14:39:40,717 [Thread-5] INFO  AssetDiscoveryController:1063 - Executing import-arns command.
2020-11-06 14:39:40,820 [Thread-5] INFO  S3ClientRouter:85 - Fail to refersh S3 Client with arn : arn:aws:iam::000000000000:role/CWPSConnectionStack-crossAccountRole
2020-11-06 14:39:40,821 [Thread-5] INFO  S3ClientRouter:86 - User: arn:aws:sts::111111111111:assumed-role/CWPSConnectionStack-ControllerIAMRole-ABCDEFGHIJKL/i-0123456789abcdef is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/CWPSConnectionStack-crossAccountRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 12345678-90ab-cdef-1234-567890abcdef)

Environment

CWPS on AWS

Cause

Your controller IAM Role does not have the Assume Role permission for the cross account roles you created.

Resolution

Ensure your Controller IAM Role (arn:aws:sts::111111111111:assumed-role/CWPSConnectionStack-ControllerIAMRole-ABCDEFGHIJKL/i-0123456789abcdef in the above error) has the Assume Role permission for each of your cross account arn roles.