skip to Main Content

I have a new AWS organization setup with Control Tower and a few accounts. Recently enabled the CIS 1.4 benchmark CloudWatch Metric Alarms and have been noticing a few times a day I am getting alerts for an unauthorized login in attempt. Looking at cloudtrail for the alarm I see the following JSON

"eventVersion": "1.08",

"userIdentity": {

    "type": "AssumedRole",

    "principalId": "AROAVSPWHG5OAGLEAJZ6P:configLambdaExecution",

    "arn": "arn:aws:sts::1234567:assumed-role/AWSServiceRoleForConfig/configLambdaExecution",

    "accountId": "1234567",

    "accessKeyId": "ASIAV....GM",

    "sessionContext": {

        "sessionIssuer": {

            "type": "Role",

            "principalId": "AROAV....AJZ6P",

            "arn": "arn:aws:iam::1234567:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",

            "accountId": "1234567",

            "userName": "AWSServiceRoleForConfig"

        },

        "webIdFederationData": {},

        "attributes": {

            "creationDate": "2023-12-15T12:48:57Z",

            "mfaAuthenticated": "false"

        }

    },

    "invokedBy": "config.amazonaws.com"

},

"eventTime": "2023-12-15T12:48:58Z",

"eventSource": "macie2.amazonaws.com",

"eventName": "GetMacieSession",

"awsRegion": "us-east-2",

"sourceIPAddress": "config.amazonaws.com",

"userAgent": "config.amazonaws.com",

"errorCode": "AccessDenied",

"requestParameters": null,

"responseElements": null,

"requestID": "5fca0e2f-519d-4c94-ad67-8621403658e0",

"eventID": "5241ccfc-5bee-4f34-825d-3accd9eb7e03",

"readOnly": true,

"eventType": "AwsApiCall",

"managementEvent": true,

"recipientAccountId": "1234567",

"eventCategory": "Management"
}

we do not use Macie but do use AWS Config – so I am assuming this is a built in Lambda function (that I cannot see) trying to check for config changes in Macie.

When I go to IAM in the 1234567 account I do not see a role called configLambdaExecution but I do see one called AWSServiceRoleForConfig – when I look at the policy attached to the role it looks like a default AWS supplied one and it does have GetMacieSession applied to it

can someone help me understand this?

2

Answers


  1. If Macie is disabled, get-macie-session seems to be AccessDenied.

    $ aws macie2 get-macie-session
    
    An error occurred (AccessDeniedException) when calling the GetMacieSession operation: Macie is not enabled
    

    Macie must be enabled.

    Login or Signup to reply.
  2. Also having this issue, I don’t want to enable a service we don’t use just to stop getting alerts, which we have started getting daily. Did you find a solution to the issue?

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search