You enable cross account support and add cross account buckets for scanning in Cloud Workload Protection for Storage. After adding the buckets, they either do not appear in the console or they appear but are not protected.

When you gather the blackbox logs and look at spe-s3-protection-controller-service.log, you see an error similar to the following:

2020-11-06 14:39:40,715 [Thread-5] INFO  ScheduleHandler:722 - Started Execution of function importArnListHandlling()
2020-11-06 14:39:40,717 [Thread-5] INFO  AssetDiscoveryController:1063 - Executing import-arns command.
2020-11-06 14:39:40,820 [Thread-5] INFO  S3ClientRouter:85 - Fail to refersh S3 Client with arn : arn:aws:iam::000000000000:role/CWPSConnectionStack-crossAccountRole
2020-11-06 14:39:40,821 [Thread-5] INFO  S3ClientRouter:86 - User: arn:aws:sts::111111111111:assumed-role/CWPSConnectionStack-ControllerIAMRole-ABCDEFGHIJKL/i-0123456789abcdef is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/CWPSConnectionStack-crossAccountRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 12345678-90ab-cdef-1234-567890abcdef)

CWPS on AWS

Your controller IAM Role does not have the Assume Role permission for the cross account roles you created.

Ensure your Controller IAM Role (arn:aws:sts::111111111111:assumed-role/CWPSConnectionStack-ControllerIAMRole-ABCDEFGHIJKL/i-0123456789abcdef in the above error) has the Assume Role permission for each of your cross account arn roles.