[x] For permissions issues (Access Denied and credential related errors), please refer to the requisite docs before submitting an issue:
AWS, GCP, OpenStack, GitHub
Description of issue:
I am seeing access denied errors in our Cloud Train logs when Security Monkey runs its scans. It is attempting to scan the AWS KMS key for ACM and is causing these alerts. I have IAM roles setup that give access to all KMS keys for scanning, however since this is an AWS Managed key you cannot configure key rotation on it.
It looks like this issue was covered before in #721 , however I am still seeing security monkey making API calls on the AWS managed KMS keys.
Log from CloudTrail:
Note: the key arn:aws:kms:us-east-1:xxxxx:key/xxxxx-cb29-48f1-ac9d-21bf05a1feca is aliased as aws/acm in our account.
Please make sure that you have checked the boxes:
Description of issue:
I am seeing access denied errors in our Cloud Train logs when Security Monkey runs its scans. It is attempting to scan the AWS KMS key for ACM and is causing these alerts. I have IAM roles setup that give access to all KMS keys for scanning, however since this is an AWS Managed key you cannot configure key rotation on it.
It looks like this issue was covered before in #721 , however I am still seeing security monkey making API calls on the AWS managed KMS keys.
Log from CloudTrail:
Note: the key
arn:aws:kms:us-east-1:xxxxx:key/xxxxx-cb29-48f1-ac9d-21bf05a1feca
is aliased asaws/acm
in our account.And here is our IAM policy.