Agentless scan status returns an error about missing permissions

3768

Created On 08/07/24 08:30 AM - Last Modified 03/28/25 09:07 AM

Prisma Cloud Compute Agentless

Prisma Cloud Compute Edition Self-Hosted

Symptom

In agentless logs, these errors are observed:

arn:aws:sts::XXX:assumed-role/PrismaCloudReadOnlyRole-member/redlock is missing permissions: ec2:DeleteSnapshot, ec2:DescribeInstances, ec2:TerminateInstances, ec2:DescribeSnapshots

ERRO types.go:598 (agentless/orchestrator.go:852) Failed in cleanup: failed to clean snapshots by {XXXarn:aws:sts::XXX:assumed-role/PrismaCloudReadOnlyRole-member/redlock } for region us-east-2: arn:aws:sts::XXX:assumed-role/PrismaCloudReadOnlyRole-member/redlock is missing permissions or blocked by a Service Control Policy (SCP): ec2:DescribeSnapshots target="XXX" hub="" region="us-east-2" availabilityDomain="" job="Cleanup" workerID="<workerID>"

Environment

Prisma Cloud Compute
Agentless scan
AWS permissions

Cause

The Cloud SCP policy is blocking the actions.

Resolution

Disable the permission check and scoping the Agentless regions to scan only the AWS SCP allowed regions.

(1)

(2)

Agentless scan status returns an error about missing permissions

Symptom

Environment

Cause

Resolution

Other users also viewed: