EC2 Assume role question
110 views
Skip to first unread message
Slava G
Jan 26, 2021, 3:10:40 PM1/26/21
to Wazuh mailing list
Hi,
I have wazuh installed on the dedicated EC2 instance. That instance has a role assigned to it to allow Wazuh installation without providing AWS credentials and everything is working fine.
Buw I see periodically in the CloudTrail that instances are accessing GetCallerIdentity API in different regions where Wazuh should not monitor any bucket. On that instance I have only Wazuh installed (Linux machine).
The agent that is accessing is :
Boto3/1.13.1 Python/3.8.2 Linux/3.10.0-957.27.2.el7.x86_64 Botocore/1.16.1
So, my question is - is this normal ? And what Wazuh is trying to get by calling GetCallerIdentity ?
Thanks
José Fernández
Jan 29, 2021, 8:40:59 AM1/29/21
to Wazuh mailing list
Hello!,
I could reproduce your problem with great success.
As I can see, this call is made when custom bucket or service is set on aws-s3 wodle. The problem is that sts.amazonaws.com is a global source so, any call to this source will log the request on all regions, it happens something similar with IAM modifications.
Answering you, this is normal behavior, Wazuh agent performs a call to GetCallerIdentity to fetch the account ID as you can check in https://github.com/wazuh/wazuh/blob/master/wodles/aws/aws_s3.py#L2121
Anyway, we have one step in our roadmap to improve aws-s3 wodle.
Thanks for your feedback, don't hesitate to ask us any doubt.
I could reproduce your problem with great success.
As I can see, this call is made when custom bucket or service is set on aws-s3 wodle. The problem is that sts.amazonaws.com is a global source so, any call to this source will log the request on all regions, it happens something similar with IAM modifications.
Answering you, this is normal behavior, Wazuh agent performs a call to GetCallerIdentity to fetch the account ID as you can check in https://github.com/wazuh/wazuh/blob/master/wodles/aws/aws_s3.py#L2121
Anyway, we have one step in our roadmap to improve aws-s3 wodle.
Thanks for your feedback, don't hesitate to ask us any doubt.
Slava G
Jan 30, 2021, 7:57:52 AM1/30/21
to José Fernández, Wazuh mailing list
Thanks José,
I appreciate your answer.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/57350367-de08-4bf1-8846-6a44b67c9ad1n%40googlegroups.com.
José Fernández
Feb 2, 2021, 4:53:11 AM2/2/21
to Wazuh mailing list
Thanks to you for your feedback, we are here to help.
Don't hesitate to open a new thread if you have any other doubt.
Regards!
Don't hesitate to open a new thread if you have any other doubt.
Regards!
Reply all
Reply to author
Forward
0 new messages