search cancel

Cross account buckets appear as Not Protected when more than 100 buckets have been added in Cloud Workload Protection for Storage

book

Article ID: 203252

calendar_today

Updated On:

Products

Cloud Workload Protection for Storage Cloud Workload Protection for Storage DLP

Issue/Introduction

You have added over 100 AWS cross account buckets for Cloud Workload Protection for Storage (CWPS) to protect. Your console suddenly shows that buckets are no longer protected.

After gathering the blackbox logs, you see the following errors in two different log files:

spe-s3-protection-controller-service.log

2020-08-25 21:37:15,631 [pool-10-thread-1371] INFO  ControllerAgentInfoRequestProcessor:121 - Agent Info Command Successfully processed
2020-08-25 21:37:15,631 [pool-10-thread-1371] ERROR ConnectionHandler:141 - Exception caught while sending response. Exception - Broken pipe (Write failed)

cafagent.log

2020-08-26 00:00:45 | adapter.SPEIPCLib | Error | 3890 : 140446470747904 : ReceiveResponse:171 | ReceiveResponse(), Exception caught: Timeout
2020-08-26 00:00:45 | adapter.SPES3Adapter | Error | 3890 : 140446470747904 : GetAgentInfo:1281 | SPE_S3_BRIDGE failed to fetch technology status from the agent.

Cause

CWPS on AWS CFT version 1.0.2.178 and older can only support up to 100 buckets. Having more will cause an internal process to time out which in turn causes the console to display the buckets as Not Protected.

Resolution

An enhancement request has been filed to allow CWPS to protect more than 100 buckets while maintaining a Protected status on the console. When this feature has been implemented, upgrade to the latest version.

As a workaround, you have a few options.

  • Only add buckets that are critical for protecting if that number is fewer than 100.
  • Create a new domain and add another CWPS deployment for every 100 buckets that need to be protected (this option will cause more machines to be deployed resulting in a higher AWS cost).