我有一个新的 AWS 组织设置,其中包含 Control Tower 和一些账户。最近启用了 CIS 1.4 基准 CloudWatch 指标警报,并注意到我每天都会收到几次未经授权的登录尝试警报。查看 cloudtrail 中的警报,我看到以下 JSON
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAVSPWHG5OAGLEAJZ6P:configLambdaExecution",
"arn": "arn:aws:sts::1234567:assumed-role/AWSServiceRoleForConfig/configLambdaExecution",
"accountId": "1234567",
"accessKeyId": "ASIAV....GM",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAV....AJZ6P",
"arn": "arn:aws:iam::1234567:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
"accountId": "1234567",
"userName": "AWSServiceRoleForConfig"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-12-15T12:48:57Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "config.amazonaws.com"
},
"eventTime": "2023-12-15T12:48:58Z",
"eventSource": "macie2.amazonaws.com",
"eventName": "GetMacieSession",
"awsRegion": "us-east-2",
"sourceIPAddress": "config.amazonaws.com",
"userAgent": "config.amazonaws.com",
"errorCode": "AccessDenied",
"requestParameters": null,
"responseElements": null,
"requestID": "5fca0e2f-519d-4c94-ad67-8621403658e0",
"eventID": "5241ccfc-5bee-4f34-825d-3accd9eb7e03",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "1234567",
"eventCategory": "Management"
}
我们不使用 Macie,但使用 AWS Config - 所以我假设这是一个内置 Lambda 函数(我看不到),试图检查 Macie 中的配置更改。
当我在 1234567 账户中转到 IAM 时,我没有看到名为 configLambdaExecution 的角色,但确实看到了一个名为 AWSServiceRoleForConfig 的角色 - 当我查看附加到该角色的策略时,它看起来像是 AWS 提供的默认角色,并且确实应用了 GetMacieSession到它
有人可以帮助我理解这一点吗?
如果 Macie 被禁用,get-macie-session 似乎会被 AccessDenied。
$ aws macie2 get-macie-session
An error occurred (AccessDeniedException) when calling the GetMacieSession operation: Macie is not enabled
必须启用 Macie。