由于缺少对角色的权限,无法执行 config:PutEvaluations
Unable to perform config:PutEvaluations due to the lack of permissions on the role
您好,我正在尝试在 Terraform 中添加 AWS Config。我已经像这样设置了以下政策附件:
resource aws_iam_policy policy {
name = "test-policy"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"config:PutEvaluations",
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeConfigRuleEvaluationStatus"
],
"Effect": "Allow",
"Resource": [
"arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
]
}
]
}
POLICY
}
我已验证 AWS 中的政策与上述政策附件相匹配。但是,当我在控制台中访问 AWS Config 服务时,我的每个配置规则都出现以下错误:
Unable to perform config:PutEvaluations due to the lack of permissions on the role.
我没有找到关于这个问题的任何好的资源。我一直在四处搜寻,但什么也没有出现。我只看到这篇文章:https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/。对此问题的任何帮助将不胜感激。作为参考,我将政策附加到 IAM 角色,如下所示:
resource aws_iam_role_policy_attachment "test-attach" {
role = aws_iam_role.config.name
policy_arn = aws_iam_policy.policy.arn
}
resource aws_iam_role config {
name = "myconfig"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "config.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
不幸的是,config:PutEvaluations 不能被资源限制。有关详细信息,请参阅 the AWS user guide on IAM permissions。该指南提到以下内容:
The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
但是在撰写本文时,PutEvaluations 操作在 Resource types 列中没有条目。
如上面引文中所述,您需要将语句一分为二,其中一个不受资源语句的限制,至少具有该操作,然后是语句中可以适当限制的其他操作。
以下应该有效:
resource "aws_iam_policy" "policy" {
name = "test-policy"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"config:PutEvaluations"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeConfigRuleEvaluationStatus"
],
"Effect": "Allow",
"Resource": [
"arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
]
}
]
}
POLICY
}
我能够解决我自己的问题
resource aws_iam_role_policy_attachment "test-attach" {
role = aws_iam_role.config.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
}
我在本文档https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
中使用了获取配置详细信息的IAM角色策略中列出的策略
您好,我正在尝试在 Terraform 中添加 AWS Config。我已经像这样设置了以下政策附件:
resource aws_iam_policy policy {
name = "test-policy"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"config:PutEvaluations",
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeConfigRuleEvaluationStatus"
],
"Effect": "Allow",
"Resource": [
"arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
]
}
]
}
POLICY
}
我已验证 AWS 中的政策与上述政策附件相匹配。但是,当我在控制台中访问 AWS Config 服务时,我的每个配置规则都出现以下错误:
Unable to perform config:PutEvaluations due to the lack of permissions on the role.
我没有找到关于这个问题的任何好的资源。我一直在四处搜寻,但什么也没有出现。我只看到这篇文章:https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/。对此问题的任何帮助将不胜感激。作为参考,我将政策附加到 IAM 角色,如下所示:
resource aws_iam_role_policy_attachment "test-attach" {
role = aws_iam_role.config.name
policy_arn = aws_iam_policy.policy.arn
}
resource aws_iam_role config {
name = "myconfig"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "config.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
config:PutEvaluations 不能被资源限制。有关详细信息,请参阅 the AWS user guide on IAM permissions。该指南提到以下内容:
The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the
Resourceelement of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
但是在撰写本文时,PutEvaluations 操作在 Resource types 列中没有条目。
如上面引文中所述,您需要将语句一分为二,其中一个不受资源语句的限制,至少具有该操作,然后是语句中可以适当限制的其他操作。
以下应该有效:
resource "aws_iam_policy" "policy" {
name = "test-policy"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"config:PutEvaluations"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeConfigRuleEvaluationStatus"
],
"Effect": "Allow",
"Resource": [
"arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
]
}
]
}
POLICY
}
我能够解决我自己的问题
resource aws_iam_role_policy_attachment "test-attach" {
role = aws_iam_role.config.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
}
我在本文档https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
中使用了获取配置详细信息的IAM角色策略中列出的策略