0

我们正在努力通过 TrendMicro Deep Security API(深度安全 python 模块)将 AWS 账户加入 DSM。

我们能够成功添加 AWS 账户,通过 API 调用从 DSM 中删除 AWS 账户。( create_aws_connector, delete_aws_connector of deep security module) 使用“<strong>使用 CrossAccountRole 添加 AWS 账户”的方法。</p>

但是,如果通过深度安全模块执行任何更新操作(例如,更新任何 AWS 账户的 CrossAccountroleArn)modify_aws_connector,则会引发内部服务器错误。以下是 API 的使用方式。

api_instance =   deepsecurity.AWSConnectorsApi(deepsecurity.ApiClient(configuration))
aws_connector = deepsecurity.AWSConnector()

日志

An exception occurred when calling AWSConnectorsApi.modify_aws_connector: (500)
Reason:

HTTP response headers: 

HTTPHeaderDict({'Content-Type': 'application/json', 'Content-Length': '35', 'Connection': 'keep-alive', 'Date': 'Fri, 02 Jul 2021 12:17:23 GMT', 'Set-Cookie': 'AWSALB=GdmyPihxdVP+z7DwSuWUGHB+lQkMoTvtpkxqkfo1gmPj0Q8KOzB2x4jwP8/dR+W1GErItKrWcGy626I5ksfcQdotQVS6W07yD+QWOsI5fEGjVir0ZncFUqNxjG0d; Expires=Fri, 09 Jul 2021 12:17:22 GMT; Path=/, AWSALBCORS=GdmyPihxdVP+z7DwSuWUGHB+lQkMoTvtpkxqkfo1gmPj0Q8KOzB2x4jwP8/dR+W1GErItKrWcGy626I5ksfcQdotQVS6W07yD+QWOsI5fEGjVir0ZncFUqNxjG0d; Expires=Fri, 09 Jul 2021 12:17:22 GMT; Path=/; SameSite=None; Secure', 'X-Frame-Options': 'SAMEORIGIN', 'Content-Security-Policy-Report-Only': "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' www.gstatic.com www.google.com; frame-src 'self' www.google.com *.trendmicro.com; frame-ancestors 'self'; style-src 'self' 'unsafe-inline' blob:; img-src 'self' data: *.trendmicro.com; font-src 'self' data: *.trendmicro.com; form-action 'self'; report-uri https://app.deepsecurity.trendmicro.com/?CSP", 'X-XSS-Protection': '1;mode=block', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload', 'Cache-Control': 'no-cache,no-store', 'Pragma': 'no-cache', 'X-DSM-Version': 'Deep Security/50.0.449', 'X-Cache': 'Error from cloudfront', 'Via': '1.1 6cf3af2e109d98f9560bab7a34d3d10f.cloudfront.net (CloudFront)', 'X-Amz-Cf-Pop': 'MAA51-C2', 'X-Amz-Cf-Id': '8oesetz7Qn4FgLj6XyeSuBZrEfR-MOly7DSuA-EAUG7eeIbKk1fV0Q=='})

HTTP response body: {"message”: “Internal server error"}
4

1 回答 1

0

您尝试分配的 IAM 角色(或附加的策略)存在错误。

我建议您使用可以通过 CloudFormation 配置的预配置跨账户角色。但如果这不可能,我建议确保您的 IAM 角色具有以下信任关系:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::147995105371:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<your Deep Security ExternalID>"
        }
      }
    }
  ]
}

这里的关键是 AWS 帐户arn:aws:iam::147995105371:root。此帐户由 Trend 控制,用于配置连接器。

于 2021-07-06T17:23:15.390 回答