堆栈内存溢出
  简体   繁体   English

使用 AWS GuardDuty 的 AccessDeniedException(调用方无权调用 API)

[英]AccessDeniedException (caller is not authorized to call API) using AWS GuardDuty

 原文  2018-01-23 14:31:49       amazon-web-services/ aws-lambda/ sdk/ boto3/ amazon-guardduty

问题描述

Aws lambda and CLI both returned "InternalServerErrorException: An error occurred (InternalServerErrorException) when calling the UpdateThreatIntelSet operation: The request is rejected because the caller is not authorized to call this API." Aws lambda 和 CLI 都返回“InternalServerErrorException:调用 UpdateThreatIntelSet 操作时发生错误 (InternalServerErrorException):请求被拒绝,因为调用方无权调用此 API。” IAM policy already been set to allow Admin action and Trusted entities are set to s3, lambda, guardduty, Apigateway. IAM 策略已设置为允许管理员操作,可信实体设置为 s3、lambda、guardduty、Apigateway。 I've been searching for days now on why it keeps giving me that rejection where I already explicitly allow everything.我一直在寻找为什么它在我已经明确允许一切的情况下不断给我拒绝的原因。 Any advise or help is greatly appreciated.非常感谢任何建议或帮助。 Below is the code snippet and the rejection from lambda下面是代码片段和来自 lambda 的拒绝

from __future__ import print_function
import boto3

detector_id = 'abcdefghijklmnop12345'
threatIntelSetIds = 'abcdefghijklmnop12345'
mal_ip = '10.0.0.0'

# Update threatIntelsetId based on the malicious_ip addresses.
def update_threatList(threatIntelSetIds, mal_ip):
client = boto3.client('guardduty')
response = client.update_threat_intel_set(
    Activate=True,
    DetectorId=detector_id,
    ThreatIntelSetId=threatIntelSetIds
)

def lambda_handler(event, context):
    update_threatList(threatIntelSetIds, mal_ip)

here is the rejection IAM policy Trusted entities这是拒绝IAM 政策可信实体

1 个解决方案

解决方案1
 1  2019-08-30 10:33:41

As noted in comments, the likely cause of this confusing error message - which I have reproduced using both Terraform and CloudFormation resources to manage GuardDuty - is that the S3 location does not exist.如评论中所述,此令人困惑的错误消息的可能原因(我已使用 Terraform 和 CloudFormation 资源复制以管理 GuardDuty)是 S3 位置不存在。

Also, note that the full path in the S3 bucket needs to exist, and CloudFormation, in particular, will not create an empty file there, if the file does not already exists.另请注意,S3 存储桶中的完整路径需要存在,尤其是 CloudFormation,如果该文件不存在,则不会在那里创建空文件。

This generally means some other process than CloudFormation needs to create the file.这通常意味着除 CloudFormation 之外的其他一些过程需要创建文件。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS:AccessDeniedException:用户:{user} 无权执行:quicksight:ListDashboards on resource - AWS: AccessDeniedException: User: {user} is not authorized to perform: quicksight:ListDashboards on resource AWS Cloudwatch Guardduty链接 - AWS Cloudwatch Guardduty link AWS SAM:AccessDeniedException:无法确定要授权的服务/操作名称 - AWS SAM: AccessDeniedException: Unable to determine service/operation name to be authorized AWS GuardDuty 邀请 - AWS GuardDuty invitation 从 AWS Lambda function 调用授权的 Api 网关端点 - Call Authorized Api Gateway endpoint from AWS Lambda function AWS CloudTrail Insights 与 GuardDuty - AWS CloudTrail Insights vs GuardDuty 通过AWS CLI使用Lambda时出现AccessDeniedException - AccessDeniedException while using Lambda by AWS CLI 如何使用 Kotlin/Java 解决 AWS 中的 AccessDeniedException? - How to solve AccessDeniedException in AWS using Kotlin/Java? 错误代码:AccessDeniedException。 用户:arn:aws:iam::xxx:user/xxx 无权执行:lambda:CreateEventSourceMapping on resource:* - Error code: AccessDeniedException. User: arn:aws:iam::xxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: * AccessDeniedException:用户:arn:aws:iam::xxxxxxx:root 无权执行:lambda:UpdateFunctionCode - AccessDeniedException: User: arn:aws:iam::xxxxxxx:root is not authorized to perform: lambda:UpdateFunctionCode
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM