CSPM policy "AWS IAM Access analyzer is not configured" generating alerts for disabled regions in our AWS accounts

CSPM policy "AWS IAM Access analyzer is not configured" generating alerts for disabled regions in our AWS accounts

110
Created On 05/20/24 09:22 AM - Last Modified 01/20/26 20:08 PM


Symptom


Prisma Cloud CSPM policy "AWS IAM Access analyzer is not configured" is generating alerts for disabled regions in their AWS accounts.

Despite disabling every region except the necessary one, it still triggers alerts.

image.png

RQL Query:  
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-access-analyzer' AND json.rule = status equals ACTIVE as X; config from cloud.resource where api.name = 'aws-region' AND json.rule = optInStatus does not equal not-opted-in as Y; filter '$.X.arn contains $.Y.regionName'; show X; count(X) less than 1

Environment


  • Prisma Cloud Enterprise Edition

Cause


Currently, we have a platform limitation where alerts are generated for disabled regions. However, the R&D team is still working on developing an automated script to dismiss alerts for deactivated regions.

Resolution


As a workaround, you can dismiss alerts using region and policy filters on the alerts overview page.

image.png

Reference documentation: View Respond to Prisma Cloud Alerts

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010yyzCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail