Configuration Auditing Troubleshooting

Follow

I have updated my password policy. But it was not reflected in my recent scan.

Several rules in IAM are built off the Credential Report. This report is cached and can only be regenerated if the existing report is more than 4 hours old. This is true for the following rules:

  • MFA is Enabled for All Users
  • No Unused Password
  • No Unused Access Key #1
  • No Unused Access Key #2
  • Password is Rotated Regularly
  • Access Key #1 is Rotated Regularly
  • Access Key #2 is Rotated Regularly

If you don't see values updating after a scan, it's probably because Amazon hasn't generated a new Credential Report. You will need to wait a few hours to see this update.

Permissions error for the entire service. 

If you are presented with an error message, in pink, at the top of the page with the text "Whoops, we have a permissions problem:" The most likely problem would be the second profile for config audit not being attached to the IAM role. Ensure that the cross-account IAM role that’s integrated with Threat Stack has the correct permissions attached. Required permissions are here for the different install options: AWS Integrations Overview.

 

Error at the Service level indicates that there is an error evaluating one of its child rules.

If you see an error icon (exclamation point in a gray triangle) next to the Service name, expand the section for that resource and look for the same icon in the "Resource Status" column for a rule. That is where the error occurred. 

 

API error for an individual resource. 

If you are reviewing a rule and are presented with an error message in pink, Threat Stack has encountered one of the few possible errors when querying the AWS API. 

  1. Check the cross-account IAM role as suggested in this document for the answer for Service errors.
  2. If you have ruled out permission problems please click on the "Show error code" URL and include the given error message in a message to our support team.

All CloudTrail Trails did not get scanned.

Cloud Trails can be configured to service multiple regions (apply trail to all regions = yes). When this happens a main Trail is created in the default region, and shadow trails are created in every other region. Because these shadow trails have the exact same configuration as the main trail, Threat Stack does not evaluate Shadow Trails.

Typically shadow trails are not displayed in the AWS Console, but we have run into cases where they seem to be getting displayed. To generate a list of trails you can expect to see in Threat Stack, run the following command in the AWS CLI:

 AWS CloudTrail describe-trails --no-include-shadow-trails

For more information, please click here:  http://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html.

 

‘Resource Could Not Be Evaluated’ Errors.

If Threat Stack could not evaluate an individual AWS resource against a particular rule, you will see a result that says “n [resource type] could not be evaluated.” 

There are many reasons why Threat Stack may not be able to get a result on an individual AWS resource. Here are some troubleshooting steps:

  1. Ensure that the cross-account IAM role that’s integrated with Threat Stack has the correct permissions attached. Required permissions are here for the different install options: AWS Integrations Overview.
  2. Check resource-level permissions. Within an individual rule, if some resources are getting evaluated and others aren’t, it’s possible that permissions are set on the individual resource, and are overriding the global permissions. This is especially common with S3 buckets.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.