Overview

A Status Error Message CloudFix IAM role can not access to the config bucket: config-bucket-########## ( global ) is seen when CloudFix performs your AWS Account Health Check.

Solution

This issue occurs when you are using a Config S3 bucket on a different AWS account where the CloudFix role does not have permissions to access.

You should have the below access before performing the actual solution steps to fix this:

• AWS account where the Config S3 bucket exists.
• s3:PutBucketPolicy permission on the Config S3 bucket.

Below are the steps to follow to grant the access:

1. Login to AWS Console of the AWS account where the config bucket exists. The config bucket name is visible on error message on the Account Health window (refer above screenshot).
2. Navigate to S3 console, search for the config bucket, and click the bucket's name.
3. Click the Permissions tab.
4. Click Edit for the Bucket policy.

5. Replace <AWS Account Id> and <Config Bucket Name> and add following statement to the Bucket policy to allow CloudFix role on other account to access to the Config bucket:

   {
     "Sid": "CloudFix-role-on-<AWS Account Id>",
     "Principal": {
       "AWS": "arn:aws:iam::<AWS Account Id>:role/cloudfix-config-reader-role-prod"
     },
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::<Config Bucket Name>"]
   }

6. Verify that arn:aws:iam::<AWS Account Id>:role/cloudfix-config-reader-role-prod role exists for the account that requires access to the config bucket. If it does not exist, upgrade the account in CloudFix to the latest version.

Testing

The Account Health check status on the CloudFix interface will be fixed with the weekly execution.