An exception occurred when calling AWSConnectorsApi.modify_aws_connector: (500) while trying to update the existing AWS account in DSM

Question

We are working on onboarding AWS accounts to DSM through TrendMicro Deep Security API.(deepsecurity python module).

And we are able to successfully add AWS accounts, removal of AWS accounts from DSM through API calls.(create_aws_connector,delete_aws_connector of deep security module) with the approach of “Adding AWS account using CrossAccountRole.”

But if any update operation (eg. to update the CrossAccountroleArn for any AWS account) is performed through modify_aws_connector of the deep security module, an Internal server error is being thrown. Here is how the API is being used.

api_instance =   deepsecurity.AWSConnectorsApi(deepsecurity.ApiClient(configuration))
aws_connector = deepsecurity.AWSConnector()

the logs

An exception occurred when calling AWSConnectorsApi.modify_aws_connector: (500)
Reason:

HTTP response headers: 

HTTPHeaderDict({'Content-Type': 'application/json', 'Content-Length': '35', 'Connection': 'keep-alive', 'Date': 'Fri, 02 Jul 2021 12:17:23 GMT', 'Set-Cookie': 'AWSALB=GdmyPihxdVP+z7DwSuWUGHB+lQkMoTvtpkxqkfo1gmPj0Q8KOzB2x4jwP8/dR+W1GErItKrWcGy626I5ksfcQdotQVS6W07yD+QWOsI5fEGjVir0ZncFUqNxjG0d; Expires=Fri, 09 Jul 2021 12:17:22 GMT; Path=/, AWSALBCORS=GdmyPihxdVP+z7DwSuWUGHB+lQkMoTvtpkxqkfo1gmPj0Q8KOzB2x4jwP8/dR+W1GErItKrWcGy626I5ksfcQdotQVS6W07yD+QWOsI5fEGjVir0ZncFUqNxjG0d; Expires=Fri, 09 Jul 2021 12:17:22 GMT; Path=/; SameSite=None; Secure', 'X-Frame-Options': 'SAMEORIGIN', 'Content-Security-Policy-Report-Only': "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' www.gstatic.com www.google.com; frame-src 'self' www.google.com *.trendmicro.com; frame-ancestors 'self'; style-src 'self' 'unsafe-inline' blob:; img-src 'self' data: *.trendmicro.com; font-src 'self' data: *.trendmicro.com; form-action 'self'; report-uri https://app.deepsecurity.trendmicro.com/?CSP", 'X-XSS-Protection': '1;mode=block', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload', 'Cache-Control': 'no-cache,no-store', 'Pragma': 'no-cache', 'X-DSM-Version': 'Deep Security/50.0.449', 'X-Cache': 'Error from cloudfront', 'Via': '1.1 6cf3af2e109d98f9560bab7a34d3d10f.cloudfront.net (CloudFront)', 'X-Amz-Cf-Pop': 'MAA51-C2', 'X-Amz-Cf-Id': '8oesetz7Qn4FgLj6XyeSuBZrEfR-MOly7DSuA-EAUG7eeIbKk1fV0Q=='})

HTTP response body: {"message”: “Internal server error"}

Answer 1

There is an error in the IAM role (or the attached policy) you are trying to assign.

I would recommend that you use the pre-configured Cross Account Role that can be provisioned through CloudFormation. But if this is not possible, I recommend making sure your IAM role has the following Trust Relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::147995105371:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<your Deep Security ExternalID>"
        }
      }
    }
  ]
}

The key here is the AWS account arn:aws:iam::147995105371:root. This account is controlled by Trend and is used to provision the Connector.