Prisma Cloud doesn't update the missing permission after adding in AWS
2251
Created On 06/30/23 08:13 AM - Last Modified 02/06/24 21:40 PM
Symptom
After adding the missing permissions:
- iam:ListRolePolicies
- iam:GetRolePolicy
- iam:ListAttachedRolePolicies
- iam:ListPolicyVersions
- iam:GetPolicyVersion
Environment
- Prisma Cloud
- AWS Onboarding
Cause
Prisma Cloud couldn't access to the Cloud Account with right permissions because customer had a boundary policy in AWS attached to Prisma Cloud custom role which was limiting the access. For more information about Boundary Policy check this link as reference.
Resolution
Remove the Boundary Policy from Prisma custom role, so Prima Cloud can get all the permissions granted.
Procedure:
- Verify if the actions are denied by Boundary policy using policy simulation. Check if "EvalDecision": "implicitDeny" and "AllowedByPermissionsBoundary": false. A value of
falsemeans that either the requested action is not allowed (implicitly denied) or that the action is explicitly denied by the permissions boundary. For more information please check this link as reference.
aws iam simulate-principal-policy --action-names "iam:ListRolePolicies" --policy-source-arn "Prima_Custom_Role"
...
"EvalActionName": "iam:ListRolePolicies",
"EvalResourceName": "*",
"EvalDecision": "implicitDeny",
...
"PermissionsBoundaryDecisionDetail": {
"AllowedByPermissionsBoundary": false
}
aws iam simulate-principal-policy --action-names "iam:GetRole" --policy-source-arn "Prima_Custom_Role"
...
"EvalActionName": "iam:ListRolePolicies",
"EvalResourceName": "*",
"EvalDecision": "implicitDeny",
...
"PermissionsBoundaryDecisionDetail": {
"AllowedByPermissionsBoundary": false
}
- You can also verify the Boundary Policy from AWS console IAM -> Roles -> PrismaCustomRole