AWSConfig - macie2.amazonaws.com AccessDenied when macie not enabled. - Githubissues

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform

https://user-guide.modernisation-platform.service.justice.gov.uk

MIT License

680 stars 289 forks source link

AWSConfig - macie2.amazonaws.com AccessDenied when macie not enabled. #8546

Closed mikereiddigital closed 1 day ago

mikereiddigital commented 2 days ago

Expected Behavior

The nightly AWSConfig job should run without error. This is defined here - https://github.com/ministryofjustice/modernisation-platform-terraform-baselines/tree/1f1fc92e9702580a44a9f965f2cf77807f70db36/modules/config

Actual Behavior

The nightly run throws an AccessDenied error in those accounts where macie is not configured. See the following cloudtrail events as examples:

23ddb7cd-9694-47fa-b5e0-47f9e0cf78d2

and

77754602-5752-48ca-90ed-6aedcb56c5bf

This is a known issue re https://repost.aws/questions/QU8ZC1xd9BQV2vnGkod7gQww/macie-not-enabled-means-false-positive-accessdeniedexceptions-in-cloudtrail

The above link also offers some guidance as to how this can be resolved / mitigated.

Steps to Reproduce the Problem

AWSConfig runs nightly.

Version

No response

Modules

https://github.com/ministryofjustice/modernisation-platform-terraform-baselines/tree/1f1fc92e9702580a44a9f965f2cf77807f70db36/modules/config

Account

modernisation-platform

SimonPPledger commented 1 day ago

we want to remove macie instead, so close this ticket and create a new one

SimonPPledger commented 1 day ago

closing as not required