1

Aws lambda and CLI both returned "InternalServerErrorException: An error occurred (InternalServerErrorException) when calling the UpdateThreatIntelSet operation: The request is rejected because the caller is not authorized to call this API." IAM policy already been set to allow Admin action and Trusted entities are set to s3, lambda, guardduty, Apigateway. I've been searching for days now on why it keeps giving me that rejection where I already explicitly allow everything. Any advise or help is greatly appreciated. Below is the code snippet and the rejection from lambda 

from __future__ import print_function
import boto3

detector_id = 'abcdefghijklmnop12345'
threatIntelSetIds = 'abcdefghijklmnop12345'
mal_ip = '10.0.0.0'

# Update threatIntelsetId based on the malicious_ip addresses.
def update_threatList(threatIntelSetIds, mal_ip):
client = boto3.client('guardduty')
response = client.update_threat_intel_set(
    Activate=True,
    DetectorId=detector_id,
    ThreatIntelSetId=threatIntelSetIds
)

def lambda_handler(event, context):
    update_threatList(threatIntelSetIds, mal_ip)

here is the rejectionIAM policyTrusted entities

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Lee.Tan
  • 619
  • 2
  • 6
  • 18
  • Can you also verify the Lambda policy? (it's different from IAM role). You can verify this on the console, under configuration, click on the "key" on the left and then you will see the policy at the bottom left. Bottom right will have the IAM role. Or you can get it via aws-cli - https://docs.aws.amazon.com/cli/latest/reference/lambda/get-policy.html This policy should have lambda:invoke permission from the api gateway – abiydv Jan 23 '18 at 14:52
  • @Abi, Thanks for responding. The function policy you mentioned is empty, but there is no place for me to edit. Also, since I've explicitly added the apigateway and lambda in trusted entities, why is this step necessary? Thanks – Lee.Tan Jan 23 '18 at 15:00
  • @Abi, It still gives me the same rejection after adding exactly what you've suggested. and I've not seen that many people having this issue after googling for days now. – Lee.Tan Jan 23 '18 at 15:40
  • Sorry, I think I misunderstood the question. Could you post the IAM policy for lambda as well? – abiydv Jan 23 '18 at 15:51
  • @Abi, please refer to the iam policy and trusted entities I added above. – Lee.Tan Jan 23 '18 at 16:03
  • Issue solved. Make sure the s3 directory match whatever specified in the lambda script. ie: https:s3.amazonaws.com/BUCKETNAME/FILENAME.txt.rtf. – Lee.Tan Jan 25 '18 at 13:34

1 Answers1

1

As noted in comments, the likely cause of this confusing error message - which I have reproduced using both Terraform and CloudFormation resources to manage GuardDuty - is that the S3 location does not exist.

Also, note that the full path in the S3 bucket needs to exist, and CloudFormation, in particular, will not create an empty file there, if the file does not already exists.

This generally means some other process than CloudFormation needs to create the file.

Alex Harvey
  • 14,494
  • 5
  • 61
  • 97