Issue

My Cloud Accounts went unhealthy and I'm seeing the following error:

We were unable to assume arn:aws:iam:012345678910:role/PantherAuditRole-us-west-2

Resolution

To resolve this issue, check your AWS IAM Role for PantherAuditRole and go into the Trust relationships tab. Verify whether the role is at root access.

If the role is not at root access, your Principal ARNs may need to be updated. Please contact Panther Support for troubleshooting.

NOTE: A workaround to not allowing root access would be to add a conditional wildcard for your Principal ARNs, such as:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<AWS-ID-HERE>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                },
                "ArnLike": {
                    "aws:PrincipalArn": [
                         "arn:aws:iam::<AWS-ID-HERE>:role/panther-snapshot-pollers-function-*",
                         "arn:aws:iam::<AWS-ID-HERE>:role/panther-source-api-function-*"
                    ]
                }
            }
        }
    ]
}

This would allow for the Cloud Account remain healthy, in the case that the hash at the end of the Principal ARNs were to change.

Cause

This issue occurs when your Principal ARN in the PantherAuditRole is scoped to a specific role that may have been changed.