Wazuh Fails to Reassume AWS Role After Token Expiration, Blocking Continuous Log Ingestion

[mirko krasic]

We are experiencing issues with Wazuh not functioning as expected in a multi-account AWS environment integrated with AWS Control Tower. Specifically:

Key Expiration Issue:
Wazuh is failing to maintain continuous AWS log ingestion because the role session expires after a default interval (e.g., 3600 seconds), and it does not seamlessly re-assume the AWS role after expiration.

Error Details:
Logs show this error:

ClientError('An error occurred (ExpiredToken) when calling the GetObject operation: The provided token has expired.')

This means that the token used by Wazuh to access AWS S3 has expired, and Wazuh is unable to re-assume the role and fetch logs. The other problem is that it only collects a single account, even though we have several accounts in our Controltour Cloudtrail logs.

[Christian Borla]

Hi mirko krasic

I hope you are doing fine, is it possible to Increase Role Session Duration?, I mean, editing the IAM role trust policy that Wazuh uses to allow a longer session duration.
For example:

{
  "Effect": "Allow",
  "Principal": {
    "Service": "ec2.amazonaws.com"
  },
  "Action": "sts:AssumeRole",
  "Condition": {
    "NumericLessThanEquals": {
      "sts:DurationSeconds": 43200
    }
  }
}

Following the documentation Considerations for the Wazuh module for AWS configuration, i fond the Connection configuration for retries section, did you check it?
You can increase the log level and see what message the agent or server, where you have it configured.  /var/ossec/etc/internal_options.conf
wazuh_modules.debug = 2 for server.
Internal configuration

I hope it helps.
Regards.