When creating a remediation policy, if you are unsuccessful or are getting errors similar to this: 


'Error assuming role: AccessDenied: User: arn:aws:sts::057012691312:assumed-role/lambda-cloudsploit-remediator/cloudsploit-remediator is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::'IAM Number':role/aqua-cspm-security-remediator ' .


There are a few troubleshooting steps you can do to try and solve this. 


Troubleshooting


Manual Remediation


Step 1: Check Permissions in Cloud Provider

  • For instance in AWS, check your IAM permissions by going into Access Management --> Roles and check the tab for permissions.  If you do not have the correct permissions you will not be able to create the remediation policy.


Step 2: Delete and Re-create Stack

  • Go to your AWS cloud provider. 
  • Head to your stacks and choose the stack you have for the remediator
  • Delete the stack 
  • Go back into the Aqua Cloud portal and click on connect account
  • Choose the cloud account you wish to connect and then select a remediator type. (If you want to run the manual remediator it is recommended to run both automatic and manual together.) Choose the region you are in and click 'launch stack'
  • Go through and create the stack as shown.
  • Paste the ARN from the outputs page into the Aqua Cloud Connect Account
  • Re-test a remediation and check the reports to see if it is working properly. 


Step 3: Error with Region: Use only Manual

  • If deleting and re-creating the stack did not solve the issue and you were experiencing an error on the 'Output' in AWS, this could be a region issue. 
  • In this case you should be able to run just the manual remediation. The error is for automated remediation and the region you are in. 


*It is important to note that if you are using the manual remediator, keys will not be rotated every 5 minutes. It is recommended if you are running a manual remediator to select both auto and manual. Automatic remediator will switch keys every 5 minutes to ensure higher security. 

*Another note to add is depending on the region automated will not work. In this case Manual remediation should still work.