kube-bench icon indicating copy to clipboard operation
kube-bench copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Permission error when using SecurityHub

Open ichasco-heytrade opened this issue 2 years ago • 4 comments

Overview

[A clear and concise description of what the bug is]

How did you run kube-bench?

Creating a cronjob with these args:

command: [
  "kube-bench",
  "run",
  "--targets",
  "node",
  "--benchmark",
  "eks-1.0.1",
  "--asff"
]

What happened?

Can't upload the results to SecurityHub

failed to output to ASFF: finding publish failed: AccessDeniedException: User: arn:aws:sts::XXXXXXXXXXXXX:assumed-role/Kube-Bench_EKS_Role/1664564304512275199 is not authorized to perform: securityhub:BatchImportFindings
{
  RespMetadata: {
    StatusCode: 403,
    RequestID: "427290f7-8e98-45f6-a2d2-c55384a74e6a"
  },
  Message_: "User: arn:aws:sts::XXXXXXXXXXXXX:assumed-role/Kube-Bench_EKS_Role/1664564304512275199 is not authorized to perform: securityhub:BatchImportFindings"
}

What did you expect to happen:

Upload the results to SecurityHub

Environment

v0.6.9

[What is your version of Kubernetes? (run kubectl version or oc version on OpenShift.)]

v1.23.7-eks-4721010

Running processes

[Please include the output from running ps -eaf | grep kube on the affected node. This will allow us to check what Kubernetes processes are running, and how this compares to what kube-bench detected.]

Configuration files

apiVersion: v1
data:
  config.yaml: |
    AWS_ACCOUNT: XXXXXXXXXXXXXX
    AWS_REGION: eu-west-1
    CLUSTER_ARN: arn:aws:eks:eu-west-1:XXXXXXXXXXXXXX:cluster/xxxxxxxxx
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: kube-bench
    meta.helm.sh/release-namespace: security
  creationTimestamp: "2022-09-30T18:50:38Z"
  labels:
    app: kube-bench
    app.kubernetes.io/instance: kube-bench
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: kube-bench
    app.kubernetes.io/version: v0.6.9
    helm.sh/chart: kube-bench-0.1.0
  name: kube-bench
  namespace: security
  resourceVersion: "238235177"
  uid: ca5721c1-b6ff-436f-b610-41872f81f493

Anything else you would like to add:

The role is correct and the configuration of the SA to use IRSA also. I don't know why is complaining about this

Thanks

ichasco-heytrade avatar Sep 30 '22 19:09 ichasco-heytrade

  • Can you please attach your role and policy attached to the role? Thanks

hariprasad0511 avatar Nov 26 '22 00:11 hariprasad0511

same issue here

aliahmedmytoys avatar Mar 23 '23 16:03 aliahmedmytoys

Try this instead in your config map:

data:
  config.yaml: |
    AWS_ACCOUNT: "XXXXXXXXXXXXXX"

bitisuvanje avatar Jan 09 '24 09:01 bitisuvanje

Was there any resolution ?

dibyadhar avatar Mar 19 '24 22:03 dibyadhar