Overview
A Status Error Message CloudFix IAM role can not access to the config bucket:
config-bucket-########## ( global )
is seen when CloudFix performs your AWS Account Health Check.
Solution
This issue occurs when you are using a Config S3 bucket on a different AWS account where the CloudFix role does not have permissions to access.
You should have the below access before performing the actual solution steps to fix this:
- AWS account where the Config S3 bucket exists.
s3:PutBucketPolicy
permission on the Config S3 bucket.
Below are the steps to follow to grant the access:
- Login to AWS Console of the AWS account where the config bucket exists. The config bucket name is visible on error message on the
Account Health
window (refer above screenshot). - Navigate to S3 console, search for the config bucket, and click the bucket's name.
- Click the
Permissions
tab. - Click
Edit
for theBucket policy
. -
Replace
<AWS Account Id>
and<Config Bucket Name>
and add following statement to theBucket policy
to allow CloudFix role on other account to access to the Config bucket:{
"Sid": "CloudFix-role-on-<AWS Account Id>",
"Principal": {
"AWS": "arn:aws:iam::<AWS Account Id>:role/cloudfix-config-reader-role-prod"
},
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::<Config Bucket Name>"]
} - Verify that
arn:aws:iam::<AWS Account Id>:role/cloudfix-config-reader-role-prod
role exists for the account that requires access to the config bucket. If it does not exist, upgrade the account in CloudFix to the latest version.
Testing
The Account Health check status on the CloudFix interface will be fixed with the weekly execution.
Comments
0 comments
Please sign in to leave a comment.