Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/26/2023 04:43 AM
We are receiving error once we save the AWS Connector, eventhough it shows "connection sucessfully" when we analyze in LOG Analyzer it gives the following message.
Q. What could be the possible solution to resolve this?
--------------------- LOG -------------------------
CPAM_AWS_IAM import | Error - to Import AWS Data correctly: com.amazonaws.services.s3control.model.AWSS3Contro lException: Caller id does not match the account id in the endpoints. (Service: AWSS3Control; Status Code: 403; Error Code: AccessDenied; Request ID: RJ3XMGVXJH5AQ1YB) |
06/08/2023 09:08 AM
@alexb Thanks for posting your issue. This is related to connectors and so I have requested for this post to be moved under IGA category for better reach.
In the meanwhile can you please add more details on when you are seeing the error related to the GenerateCredentialReport. Is it during the import process? Also, please check if the cross account role indeed has the specified permission of iam:GenerateCredentialReport.
Thanks,
Nagesh K
06/08/2023 09:11 PM
Thanks for the reply,
Yes it is during the job import process that the error shows up. (status shows failed) but also on Log Analyzer shows the error shown above "...AccessDenied...".
Refering to the GenerateCredentialReport, GetCredentialReport could you specify it this is a custom policy that we need to create or it's a OOTB policy from AWS? and to where the policy should be applied, (whole account, user, role or as mentioned create one from scratch)?
Yes, it's a full job import with the following custom import config:
---------------------
{
"importEntTypes": {
"IAMPolicy": {},
"AWSRole": {},
"AWSGroup": {}
},
"excludeEntTypes": {
"EC2Instance": {"storeIAMRoleForEC2Instance":"true"}
}
}
{
"importEntTypes": {
"IAMPolicy": {},
"AWSRole": {},
"AWSGroup": {},
"EC2Instance": {"storeIAMRoleForEC2Instance":"true"}
},
"excludeEntTypes": {
"SecurityGroup": {},
"AMI": {},
"ElasticLoadBalancer": {},
"DhcpOption": {},
"VPC": {},
"Subnet": {},
"NACL": {},
"S3Bucket": {},
"EBSVolume": {},
"EBSSnapshot": {},
"DBSecurityGroup": {},
"RdsDbInstance": {},
"RouteTable": {},
"VpcPeering": {},
"InternetGateway": {},
"CloudTrail": {},
"NetworkInterface": {},
"RedShiftClusterSecurityGroup": {},
"RedShiftCluster": {},
"ElasticIP": {},
"CloudFormation": {},
"EncryptionKey": {},
"NatGateway": {},
"SnsTopic": {},
"SQS": {},
"AWSConfig": {},
"DynamoDB": {},
"VpcFlowLog": {},
"Glacier": {},
"RDSSnapshot": {},
"EFS": {},
"MountTarget": {},
"ReputedIP": {},
"ElasticSearch": {},
"CloudFormationTemplatesFromS3": {},
"EMR": {},
"VpcEndpoint": {},
"VirtualMFADevice": {},
"CloudWatchLogGroup": {},
"CloudWatchAlarm": {},
"Workspace": {},
"Directory": {},
"WorkspaceBundle": {},
"AppELB": {},
"ACM": {},
"AutoScaling": {},
"LaunchConfig": {},
"Route53": {},
"CloudFront": {},
"RDSEventSubscription": {},
"AWSLambda": {},
"GuardDuty": {},
"WAFCondition": {},
"WAFWebACL": {},
"RedShiftParameterGroup": {},
"WAFRule": {},
"AWSAccountSettings": {}
}
}
------------
06/09/2023 12:02 AM
We did add the policies generatecredentialreport and getcredentialreport to Saviynt Role and cpam user, but would be nice to know which specific requires the policy.
The error we are getting during the import is:
----------------
: User:
arn:aws:sts::42299XXXX730:assumed-role/nixu-partne
r-eks-workernode-role/i-0318f2fXXXX7a7ffd is not
authorized to perform: iam:GetAccountSummary on
resource: * because no identity-based policy
allows the iam:GetAccountSummary action (Service:
AmazonIdentityManagement; Status Code: 403;
---------------------------
06/09/2023 08:18 AM
@alexb This will most probably require a working session to review the cross account role and the policy associated to it. I suggest opening a FD ticket to take this further.
Also, in the first post you mentioned that you switched the roles in externalconfig properties post which you got the error at GetAccountSummary. Did you revert those changes yet?
Thanks,
Nagesh K
06/11/2023 11:11 PM
Yes, we believe a session it's probably the most appropriate form to avoid too much messages going around.
Yes, we did revert back to original role, we tried a variety of try and errors possible solutions, but none did proceed.
Could you please advise on, what is the best way to arrange this session?
06/12/2023 06:48 AM
@alexb As I mentioned in my previous response, you have to open an FD ticket to take this further.
Thanks,
Nagesh K
06/12/2023 07:00 AM
Hi Nagesh,
Thanks, already done!