A Status Error Message
CloudFix IAM role can not access to the config bucket:
config-bucket-########## ( global ) is seen when CloudFix performs your AWS Account Health Check.
This issue occurs when you are using a Config S3 bucket on a different AWS account where the CloudFix role does not have permissions to access.
You should have the below access before performing the actual solution steps to fix this:
- AWS account where the Config S3 bucket exists.
s3:PutBucketPolicypermission on the Config S3 bucket.
Below are the steps to follow to grant the access:
- Login to AWS Console of the AWS account where the config bucket exists. The config bucket name is visible on error message on the
Account Healthwindow (refer above screenshot).
- Navigate to S3 console, search for the config bucket, and click the bucket's name.
- Click the
<AWS Account Id>and
<Config Bucket Name>and add following statement to the
Bucket policyto allow CloudFix role on other account to access to the Config bucket:
"Sid": "CloudFix-role-on-<AWS Account Id>",
"AWS": "arn:aws:iam::<AWS Account Id>:role/cloudfix-config-reader-role-prod"
"Resource": ["arn:aws:s3:::<Config Bucket Name>"]
- Verify that
arn:aws:iam::<AWS Account Id>:role/cloudfix-config-reader-role-prodrole exists for the account that requires access to the config bucket. If it does not exist, upgrade the account in CloudFix to the latest version.
The Account Health check status on the CloudFix interface will be fixed with the weekly execution.