I have a new AWS organization setup with Control Tower and a few accounts. Recently enabled the CIS 1.4 benchmark CloudWatch Metric Alarms and have been noticing a few times a day I am getting alerts for an unauthorized login in attempt. Looking at cloudtrail for the alarm I see the following JSON
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAVSPWHG5OAGLEAJZ6P:configLambdaExecution",
"arn": "arn:aws:sts::1234567:assumed-role/AWSServiceRoleForConfig/configLambdaExecution",
"accountId": "1234567",
"accessKeyId": "ASIAV....GM",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAV....AJZ6P",
"arn": "arn:aws:iam::1234567:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
"accountId": "1234567",
"userName": "AWSServiceRoleForConfig"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-12-15T12:48:57Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "config.amazonaws.com"
},
"eventTime": "2023-12-15T12:48:58Z",
"eventSource": "macie2.amazonaws.com",
"eventName": "GetMacieSession",
"awsRegion": "us-east-2",
"sourceIPAddress": "config.amazonaws.com",
"userAgent": "config.amazonaws.com",
"errorCode": "AccessDenied",
"requestParameters": null,
"responseElements": null,
"requestID": "5fca0e2f-519d-4c94-ad67-8621403658e0",
"eventID": "5241ccfc-5bee-4f34-825d-3accd9eb7e03",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "1234567",
"eventCategory": "Management"
}
we do not use Macie but do use AWS Config - so I am assuming this is a built in Lambda function (that I cannot see) trying to check for config changes in Macie.
When I go to IAM in the 1234567 account I do not see a role called configLambdaExecution but I do see one called AWSServiceRoleForConfig - when I look at the policy attached to the role it looks like a default AWS supplied one and it does have GetMacieSession applied to it
can someone help me understand this?
If Macie is disabled, get-macie-session seems to be AccessDenied.
Macie must be enabled.