-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access Denied due to embedded iam policy cause policies to fail #9455
Comments
Error pattern for other resource types. Ugh there are different error types for each resources.
|
I did some digging and found that out of the above listed 3 total failures we're seeing only one is caused within detail_spec. The other 2 failures that are shown below are coming from ecr_augment and kms_get_policy_augment and should be tackled separately imo.
|
Describe the bug
Application teams configure IAM resource policies for resources such as S3 Buckets, SNS Topics, SQS Queues, Lambda Functions, and S3 Glacier Vaults. For example, resource owners can block Cloud Custodian from scanning a resource or set it to deny all.
Custodian execution failures lead to compliance evaluation gaps and stale/incomplete data in downstream compliance reporting tools
What did you expect to happen?
Expectation is to skip the resource that blocks access and proceed with evaluation of other resources
Cloud Provider
Amazon Web Services (AWS)
Cloud Custodian version and dependency information
No response
Policy
No response
Relevant log/traceback output
botocore.errorfactory.AuthorizationErrorException: An error occurred (AuthorizationError) when calling the GetTopicAttributes operation: User: arn:aws:sts::123456789000:assumed-role/CloudCustodian/CloudCustodian is not authorized to perform: SNS:GetTopicAttributes on resource: arn:aws:sns:us-east-1:123456789000:test-resource with an explicit deny in a resource-based policy
Extra information or context
No response
The text was updated successfully, but these errors were encountered: