[CIS AWS] Multiple Access Denied in Long Lived Environment

[romulets]

Describe the bug There are multiple Access Denied in AWS in the long lived env (logs)

They are in different resources. During 8.13 QA Cycle we've seen in 1 cycle:

217 occurrences

Could not get public access block configuration for bucket automation-reports-qa-979855498. Err: operation error S3: GetPublicAccessBlock, https response error StatusCode: 403, RequestID: A6XZC4F0TSWVQ66D, HostID: dSpazygqEbrbuqz13/xArGJ8yHONPNik5g5kbxdutIlNmRbhDdv9zPOjFrNCCjtLGpfgH7hBX9/qrey84tKuOw==, api error AccessDenied: Access Denied

217 occurrences:

Could not get bucket policy for bucket automation-reports-qa-979855498. Error: operation error S3: GetBucketPolicy, https response error StatusCode: 403, RequestID: A6XYVRZ7JSBNDPCA, HostID: qjb2y/kd2jR5EAluiJYo4cpabeGJHrN8B6hC3l4JnkFQStGA7YfzBn1WFqLxdRjSnINq6v5FKypBM37x7e3NhA==, api error AccessDenied: Access Denied

217 occurrences:

Could not get bucket versioning for bucket automation-reports-qa-979855498. Err: operation error S3: GetBucketVersioning, https response error StatusCode: 403, RequestID: A6XP4CJSRZ0D02AN, HostID: 6IMC8GfupZrWLAVnIbIU5zeU2FEAMi1nD9T7we/ERX4rCl9M3m3JhyQuxAYUz2BcLXOdicbXdxeqLJ/RsLgVig==, api error AccessDenied: Access Denied

217 occurrences:

Could not get encryption for bucket automation-reports-qa-979855498. Error: operation error S3: GetBucketEncryption, https response error StatusCode: 403, RequestID: A6XPBD25GBQBJSVV, HostID: TcgUSnrjm0F2qpfK9qJ95K9P23YKN2j+16rT6TQOkEJUWMbHuobCSKbHKlgUAxQNYW/PnflJarLcFEmTJYBKJA==, api error AccessDenied: Access Denied

1 occurrence

Error getting bucket logging for bucket elastic-org-elastic-eng-cloudtrail-ingest: operation error S3: GetBucketLogging, https response error StatusCode: 403, RequestID: S48C14D1MQRP41HY, HostID: yVuswO1qpYJoLS/kz4a+zEpY7S/M8oYm66mXZxjP7V7+ny/jifyZatYiFzfEnALTHlT5szbgJBw=, api error AccessDenied: Access Denied

1 occurrence

Error getting bucket ACL for bucket elastic-org-elastic-eng-cloudtrail-ingest: operation error S3: GetBucketAcl, https response error StatusCode: 403, RequestID: S485X0DEXC0TME35, HostID: FzzulVT2+qg2N/iDfwKVUWRFnD5PAM0BArQ0VhypuVQY0p7rl134EHPRMTSbxUmiQmf2oyXIANc=, api error AccessDenied: Access Denied

1 occurrence

Error getting bucket policy for bucket elastic-org-elastic-eng-cloudtrail-ingest: operation error S3: GetBucketPolicy, https response error StatusCode: 403, RequestID: S488RXVJ6YXM48W1, HostID: YW+0jtbfV/7ZV0TDQstxL/NPQBEfzbXvrqr+f6K94oKLM7gYMyn5SJLrkbr8PENTfoebkKfHPv8=, api error AccessDenied: Access Denied

1 occurrence

Could not get bucket location for bucket ari-cis-aws-test. Not describing this bucket. Error: operation error S3: GetBucketLocation, https response error StatusCode: 403, RequestID: S48ES61TBYW92QYP, HostID: XLj0WPtd1+2kY9eB/9pDe/Yh6lF9Wsu4GpIX6MpLHYhdwic2u7A0OB3/f/aW9BjRkynSmmMI0a8=, api error AccessDenied: Access Denied

Preconditions Run CSPM AWS

To Reproduce Write the exact actions one should perform in order to reproduce the bug. Steps to reproduce the behavior:

1. Add CSPM AWS Integration
2. Search logs for (AccessDenied: Access Denied)

Expected behavior No access denied errors

[orouz]

1. automation-reports-qa-* and ari-cis-aws-test are both old buckets we don't have access to anymore. as an admin, i can't do any operation (get/delete)

2. elastic-org-elastic-eng-cloudtrail-ingest - is where the elastic-eng-org-cloudtrail trail dumps the cloudtrail logs, and the trail was set up by org management: , so it seems not being able to operate (get*) on that bucket makes sense.

long story short - org policies prevent security-audit role from running operations it is otherwise permitted to do.

we can't do anything about elastic-org-elastic-eng-cloudtrail-ingest, just ignore the error. we could do the same for the other two buckets, or ask platform-security to delete them, although i've been told it may not be easy to get that approved.