dmthames | 2021-05-06 16:26:43 UTC | #1
Hi All, I have a customer who is using a cloud monitoring tools (DivvyCloud) to assist them with security, and the Genesys integration is throwing a security alert because the account trust is for root:
"Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::765628985471:root" }, It's basically against their security policy to have an IAM role that references a root level permission, so it's throwing a severe / out of compliance error.
Wondering if there's a remedy for this and/or if y'all are considering an alternative method of trusting the account that's non-root? Thanks Dean.
John_Carnell | 2021-05-06 16:48:41 UTC | #2
Hi Dean,
Do you know the specific integration that they are trying to use, that will help me direct this question to right development teams.
Thanks, John Carnell Manager, Developer Engagement
dmthames | 2021-05-06 17:00:43 UTC | #3
This one is for Lex ... I believe the trust account config is the same regardless of Lex/Polly/Lambda however.
John_Carnell | 2021-05-06 17:57:17 UTC | #4
Hi Dean,
I had to re-educate myself on IAM roles with the integration team. The root it is referencing is not the customer's root account but rather Genesys's root account that is allowed to assume the role.
Integrations use a trusted role here. So you are basically in the customer's account setting up a policy with the permissions attached to it. Those permissions should only define the AWS resources the Genesys account needs access to. Those permissions are then granted to the policy and that policy is attached to the role. Genesys can assume the role (for example to fire a lambda) and only do the things that are granted to it.
arn:aws:iam::765628985471:root is the Genesys root so I think the customers are flagging it inappropriately.
I hope that helps and please let me know if you have other questions.
Thanks, John
dmthames | 2021-05-06 18:05:12 UTC | #5
Thanks John, Correct, that's your root... we're aware of that part. But it's still a security exception in their provider's eyes. I'm not a security architect, but in general references to root are a no-no, correct? I'm actually surprised this hasn't popped up before now that I look at it.
John_Carnell | 2021-05-07 16:01:10 UTC | #6
Hi Dean,
I apologize for not getting back to you sooner. I am still working on this issue. I reviewed this with our head of security and reviewing this question with our Lead AWS architect. I am hoping to have an answer for you today, but otherwise it might be on Monday.
Thanks, John Carnell Manager, Developer Engagement
system | 2021-06-07 16:01:14 UTC | #7
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 10841