Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Service Role IAM Policies and IAM Policy Attachments Are Being Removed #465

Closed
BwL1289 opened this issue Dec 18, 2024 · 6 comments
Closed

AWS Service Role IAM Policies and IAM Policy Attachments Are Being Removed #465

BwL1289 opened this issue Dec 18, 2024 · 6 comments
Labels
answered behavior/expected

Comments

@BwL1289
Copy link

BwL1289 commented Dec 18, 2024
edited
Loading

Version: 3.29.1
Platform: Aarch64

It's totally possible I'm missing something, but I was testing an updated version of our config and I'm seeing AWS Service Role's IAM Policies and Policy Attachments being deleted. I haven't experienced when testing previously.

2024-12-17T07:52:51.238-06:00	global - IAMPolicy - arn:aws:iam::<redacted>:policy/service-role/AWSLambdaBasicExecutionRole-c434757f-e1e5-4311-b20f-d8273183dc89 - [ARN: "arn:aws:iam::<redacted>:policy/service-role/AWSLambdaBasicExecutionRole-c434757f-e1e5-4311-b20f-d8273183dc89", CreateDate: "2023-08-08T09:47:19Z", Name: "AWSLambdaBasicExecutionRole-c434757f-e1e5-4311-b20f-d8273183dc89", Path: "/service-role/", PolicyID: "ANPA3ZVJLCRY522QFDBWF"] - triggered remove
2024-12-17T07:52:51.238-06:00	global - IAMPolicy - arn:aws:iam::<redacted>:policy/service-role/Amazon-EventBridge-Scheduler-Execution-Policy-cde80205-4035-4069-81ec-ce76b58ce6b5 - [ARN: "arn:aws:iam::<redacted>:policy/service-role/Amazon-EventBridge-Scheduler-Execution-Policy-cde80205-4035-4069-81ec-ce76b58ce6b5", CreateDate: "2023-04-25T12:32:09Z", Name: "Amazon-EventBridge-Scheduler-Execution-Policy-cde80205-4035-4069-81ec-ce76b58ce6b5", Path: "/service-role/", PolicyID: "ANPA3ZVJLCRY6VZGODAFH"] - triggered remove
2024-12-17T07:52:51.238-06:00	global - IAMPolicy - arn:aws:iam::<redacted>:policy/service-role/AWSDataSyncTaskReportS3BucketAccess-s3-testing-<redacted>-ebb7b - [ARN: "arn:aws:iam::<redacted>:policy/service-role/AWSDataSyncTaskReportS3BucketAccess-s3-testing-<redacted>-ebb7b", CreateDate: "2023-12-12T20:21:30Z", Name: "AWSDataSyncTaskReportS3BucketAccess-s3-testing-<redacted>-ebb7b", Path: "/service-role/", PolicyID: "ANPA3ZVJLCRY75OLQSOI4"] - triggered remove
2024-12-17T07:52:51.238-06:00	global - IAMPolicy - arn:aws:iam::<redacted>:policy/service-role/AWSLambdaBasicExecutionRole-649c6ba1-edcb-4e16-ad74-811deb3fff5b - [ARN: "arn:aws:iam::<redacted>:policy/service-role/AWSLambdaBasicExecutionRole-649c6ba1-edcb-4e16-ad74-811deb3fff5b", CreateDate: "2023-08-08T08:42:01Z", Name: "AWSLambdaBasicExecutionRole-649c6ba1-edcb-4e16-ad74-811deb3fff5b", Path: "/service-role/", PolicyID: "ANPA3ZVJLCRYT3C426LKY"] - triggered remove
2024-12-17T07:52:51.238-06:00	global - IAMPolicy - arn:aws:iam::<redacted>:policy/service-role/AWSLambdaBasicExecutionRole-2ba64c87-a8a2-4fe0-bfee-b549c6aee39c - [ARN: "arn:aws:iam::<redacted>:policy/service-role/AWSLambdaBasicExecutionRole-2ba64c87-a8a2-4fe0-bfee-b549c6aee39c", CreateDate: "2023-08-08T08:28:59Z", Name: "AWSLambdaBasicExecutionRole-2ba64c87-a8a2-4fe0-bfee-b549c6aee39c", Path: "/service-role/", PolicyID: "ANPA3ZVJLCRYV6SWCQQMD"] - triggered remove
2024-12-17T07:52:51.238-06:00	global - IAMPolicy - arn:aws:iam::<redacted>:policy/service-role/XRayAccessPolicy-d96838ee-76af-416b-89a8-d1cfeaab4f50 - [ARN: "arn:aws:iam::<redacted>:policy/service-role/XRayAccessPolicy-d96838ee-76af-416b-89a8-d1cfeaab4f50", CreateDate: "2023-08-08T08:30:55Z", Name: "XRayAccessPolicy-d96838ee-76af-416b-89a8-d1cfeaab4f50", Path: "/service-role/", PolicyID: "ANPA3ZVJLCRYWUJQBA25X"] - triggered remove
2024-12-17T07:52:51.238-06:00	global - IAMPolicy - arn:aws:iam::<redacted>:policy/service-role/AWSLambdaBasicExecutionRole-1c76945b-82fa-42db-90d0-b27ef0be4ea1 - [ARN: "arn:aws:iam::<redacted>:policy/service-role/AWSLambdaBasicExecutionRole-1c76945b-82fa-42db-90d0-b27ef0be4ea1", CreateDate: "2023-06-23T09:38:20Z", Name: "AWSLambdaBasicExecutionRole-1c76945b-82fa-42db-90d0-b27ef0be4ea1", Path: "/service-role/", PolicyID: "ANPA3ZVJLCRYXHTYR56EJ"] - triggered remove
2024-12-17T07:52:51.238-06:00	global - IAMPolicy - arn:aws:iam::<redacted>:policy/service-role/LambdaInvokeScopedAccessPolicy-503fece8-6313-4fe2-a060-498f9f74ddfc - [ARN: "arn:aws:iam::<redacted>:policy/service-role/LambdaInvokeScopedAccessPolicy-503fece8-6313-4fe2-a060-498f9f74ddfc", CreateDate: "2023-08-08T08:30:54Z", Name: "LambdaInvokeScopedAccessPolicy-503fece8-6313-4fe2-a060-498f9f74ddfc", Path: "/service-role/", PolicyID: "ANPA3ZVJLCRYZLKZ2WKH7"] - triggered remove
2024-12-17T07:51:36.913-06:00	global - IAMRolePolicyAttachment - Amazon_EventBridge_Scheduler_LAMBDA_fbb2554175 -> Amazon-EventBridge-Scheduler-Execution-Policy-cde80205-4035-4069-81ec-ce76b58ce6b5 - [PolicyArn: "arn:aws:iam::<redacted>:policy/service-role/Amazon-EventBridge-Scheduler-Execution-Policy-cde80205-4035-4069-81ec-ce76b58ce6b5", PolicyName: "Amazon-EventBridge-Scheduler-Execution-Policy-cde80205-4035-4069-81ec-ce76b58ce6b5", RoleCreateDate: "2023-04-25T12:32:09Z", RoleLastUsed: "2024-12-17 07:01:50 +0000 UTC", RoleName: "Amazon_EventBridge_Scheduler_LAMBDA_fbb2554175", RolePath: "/service-role/"] - triggered remove
2024-12-17T07:46:04.003-06:00	global - IAMRole - Amazon_EventBridge_Scheduler_LAMBDA_fbb2554175 - [CreateDate: "2023-04-25T12:32:09Z", LastUsedDate: "2024-12-17T07:01:50Z", Name: "Amazon_EventBridge_Scheduler_LAMBDA_fbb2554175", Path: "/service-role/"] - triggered remove

Is this expected behavior? Happy to send my config privately.

The IAM Policy Attachment /IAM Role for Amazon_EventBridge_Scheduler_LAMBDA_fbb2554175 may be part of a separate non-default resource that I expect to be deleted, but included it for completeness.
@BwL1289 BwL1289 changed the title AWS Service Role IAM Policies Are Being Removed AWS Service Role IAM Policies and IAM Policy Attachments Are Being Removed Dec 18, 2024
@ekristen
Copy link
Owner

Did you add the setting to include the roles by chance in your config?

I added a resource setting to allow the removal of service roles but its disable by default.

I suppose it could be bugged, although I haven't seen it myself.

I should create a way to have configs shared securely ...

@BwL1289
Copy link
Author

BwL1289 commented Dec 18, 2024

Not that I know of, but it's possible I did. Let me know how best to send over the config and I will!

Thanks so much.

@ekristen
Copy link
Owner

Email works for now

@BwL1289
Copy link
Author

BwL1289 commented Dec 18, 2024

Sent. Thank you.

@ekristen
Copy link
Owner

ekristen commented Dec 19, 2024
edited
Loading

This is expected behavior, Service Linked Roles vs Service Roles. The tool only ever blocked the deletion of Service Linked Roles which were under the path /aws-service-role/ -- the roles under /service-role/

@BwL1289
Copy link
Author

BwL1289 commented Dec 19, 2024

Understood. I'll add the following going forward:

service-roles:
    filters:
      __global__: # Catch all for all resources
        - property: IAMPolicy
          type: "glob"
          value: "*service-role*"
        - property: IAMRolePolicyAttachment
          type: "glob"
          value: "*service-role*"
        - property: IAMRole
          type: "glob"
          value: "*service-role*"

@BwL1289 BwL1289 closed this as completed Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered behavior/expected
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ekristen @BwL1289