elastic
[CIS AWS] Multiple Access Denied in Long Lived Environment
Describe the bug There are multiple Access Denied in AWS in the long lived env (logs)
They are in different resources. During 8.13 QA Cycle we've seen in 1 cycle:
217 occurrences
Could not get public access block configuration for bucket automation-reports-qa-979855498. Err: operation error S3: GetPublicAccessBlock, https response error StatusCode: 403, RequestID: A6XZC4F0TSWVQ66D, HostID: dSpazygqEbrbuqz13/xArGJ8yHONPNik5g5kbxdutIlNmRbhDdv9zPOjFrNCCjtLGpfgH7hBX9/qrey84tKuOw==, api error AccessDenied: Access Denied
217 occurrences:
Could not get bucket policy for bucket automation-reports-qa-979855498. Error: operation error S3: GetBucketPolicy, https response error StatusCode: 403, RequestID: A6XYVRZ7JSBNDPCA, HostID: qjb2y/kd2jR5EAluiJYo4cpabeGJHrN8B6hC3l4JnkFQStGA7YfzBn1WFqLxdRjSnINq6v5FKypBM37x7e3NhA==, api error AccessDenied: Access Denied
217 occurrences:
Could not get bucket versioning for bucket automation-reports-qa-979855498. Err: operation error S3: GetBucketVersioning, https response error StatusCode: 403, RequestID: A6XP4CJSRZ0D02AN, HostID: 6IMC8GfupZrWLAVnIbIU5zeU2FEAMi1nD9T7we/ERX4rCl9M3m3JhyQuxAYUz2BcLXOdicbXdxeqLJ/RsLgVig==, api error AccessDenied: Access Denied
217 occurrences:
Could not get encryption for bucket automation-reports-qa-979855498. Error: operation error S3: GetBucketEncryption, https response error StatusCode: 403, RequestID: A6XPBD25GBQBJSVV, HostID: TcgUSnrjm0F2qpfK9qJ95K9P23YKN2j+16rT6TQOkEJUWMbHuobCSKbHKlgUAxQNYW/PnflJarLcFEmTJYBKJA==, api error AccessDenied: Access Denied
1 occurrence
Error getting bucket logging for bucket elastic-org-elastic-eng-cloudtrail-ingest: operation error S3: GetBucketLogging, https response error StatusCode: 403, RequestID: S48C14D1MQRP41HY, HostID: yVuswO1qpYJoLS/kz4a+zEpY7S/M8oYm66mXZxjP7V7+ny/jifyZatYiFzfEnALTHlT5szbgJBw=, api error AccessDenied: Access Denied
1 occurrence
Error getting bucket ACL for bucket elastic-org-elastic-eng-cloudtrail-ingest: operation error S3: GetBucketAcl, https response error StatusCode: 403, RequestID: S485X0DEXC0TME35, HostID: FzzulVT2+qg2N/iDfwKVUWRFnD5PAM0BArQ0VhypuVQY0p7rl134EHPRMTSbxUmiQmf2oyXIANc=, api error AccessDenied: Access Denied
1 occurrence
Error getting bucket policy for bucket elastic-org-elastic-eng-cloudtrail-ingest: operation error S3: GetBucketPolicy, https response error StatusCode: 403, RequestID: S488RXVJ6YXM48W1, HostID: YW+0jtbfV/7ZV0TDQstxL/NPQBEfzbXvrqr+f6K94oKLM7gYMyn5SJLrkbr8PENTfoebkKfHPv8=, api error AccessDenied: Access Denied
1 occurrence
Could not get bucket location for bucket ari-cis-aws-test. Not describing this bucket. Error: operation error S3: GetBucketLocation, https response error StatusCode: 403, RequestID: S48ES61TBYW92QYP, HostID: XLj0WPtd1+2kY9eB/9pDe/Yh6lF9Wsu4GpIX6MpLHYhdwic2u7A0OB3/f/aW9BjRkynSmmMI0a8=, api error AccessDenied: Access Denied
Preconditions Run CSPM AWS
To Reproduce Write the exact actions one should perform in order to reproduce the bug. Steps to reproduce the behavior:
- Add CSPM AWS Integration
- Search logs for (
AccessDenied: Access Denied)
Expected behavior No access denied errors
-
automation-reports-qa-*andari-cis-aws-testare both old buckets we don't have access to anymore. as an admin, i can't do any operation (get/delete) -
elastic-org-elastic-eng-cloudtrail-ingest- is where theelastic-eng-org-cloudtrailtrail dumps the cloudtrail logs, and the trail was set up by org management:, so it seems not being able to operate (get*) on that bucket makes sense.
long story short - org policies prevent security-audit role from running operations it is otherwise permitted to do.
we can't do anything about elastic-org-elastic-eng-cloudtrail-ingest, just ignore the error. we could do the same for the other two buckets, or ask platform-security to delete them, although i've been told it may not be easy to get that approved.
an issue has been opened in the Platform Security board to work this out. there is nothing to be done on our end.