Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission error when using SecurityHub #1294

Open
ichasco-heytrade opened this issue Sep 30, 2022 · 4 comments
Open

Permission error when using SecurityHub #1294

ichasco-heytrade opened this issue Sep 30, 2022 · 4 comments

Comments

@ichasco-heytrade
Copy link

Overview

[A clear and concise description of what the bug is]

How did you run kube-bench?

Creating a cronjob with these args:

command: [
  "kube-bench",
  "run",
  "--targets",
  "node",
  "--benchmark",
  "eks-1.0.1",
  "--asff"
]

What happened?

Can't upload the results to SecurityHub

failed to output to ASFF: finding publish failed: AccessDeniedException: User: arn:aws:sts::XXXXXXXXXXXXX:assumed-role/Kube-Bench_EKS_Role/1664564304512275199 is not authorized to perform: securityhub:BatchImportFindings
{
  RespMetadata: {
    StatusCode: 403,
    RequestID: "427290f7-8e98-45f6-a2d2-c55384a74e6a"
  },
  Message_: "User: arn:aws:sts::XXXXXXXXXXXXX:assumed-role/Kube-Bench_EKS_Role/1664564304512275199 is not authorized to perform: securityhub:BatchImportFindings"
}

What did you expect to happen:

Upload the results to SecurityHub

Environment

v0.6.9

[What is your version of Kubernetes? (run kubectl version or oc version on OpenShift.)]

v1.23.7-eks-4721010

Running processes

[Please include the output from running ps -eaf | grep kube on the affected node. This will allow us to check what Kubernetes processes are running, and how this compares to what kube-bench detected.]

Configuration files

apiVersion: v1
data:
  config.yaml: |
    AWS_ACCOUNT: XXXXXXXXXXXXXX
    AWS_REGION: eu-west-1
    CLUSTER_ARN: arn:aws:eks:eu-west-1:XXXXXXXXXXXXXX:cluster/xxxxxxxxx
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: kube-bench
    meta.helm.sh/release-namespace: security
  creationTimestamp: "2022-09-30T18:50:38Z"
  labels:
    app: kube-bench
    app.kubernetes.io/instance: kube-bench
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: kube-bench
    app.kubernetes.io/version: v0.6.9
    helm.sh/chart: kube-bench-0.1.0
  name: kube-bench
  namespace: security
  resourceVersion: "238235177"
  uid: ca5721c1-b6ff-436f-b610-41872f81f493

Anything else you would like to add:

The role is correct and the configuration of the SA to use IRSA also. I don't know why is complaining about this

Thanks
@hariprasad0511
Copy link

  • Can you please attach your role and policy attached to the role? Thanks

@aliahmedmytoys
Copy link

same issue here

@bitisuvanje
Copy link

bitisuvanje commented Jan 9, 2024
edited

Try this instead in your config map:

data:
  config.yaml: |
    AWS_ACCOUNT: "XXXXXXXXXXXXXX"

@dibyadhar
Copy link

Was there any resolution ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bitisuvanje @hariprasad0511 @dibyadhar @ichasco-heytrade @aliahmedmytoys