Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Config should be enabled and use the service-linked role for resource recording #192

Open
dverzolla opened this issue Jul 3, 2024 · 1 comment
Open

AWS Config should be enabled and use the service-linked role for resource recording #192

dverzolla opened this issue Jul 3, 2024 · 1 comment

Comments

@dverzolla
Copy link

Is your feature request related to a problem? Please describe.
AWS Security HUB, into PCI DSS v3.2.1 check has failed with:

"Config.1", "AWS Config should be enabled and use the service-linked role for resource recording".

Even though when terraform-aws-config is rightly configure and working.

The problem happens because this module creates a new role instead of using the one provided by aws.

Describe the solution you'd like
We could add an option to this module for giving the user the choice to opt for aws service-linked role (default) or to create a new one. The image in additional context shows the data governance area of aws config edit page.

When using this module, the "choose a role from your account" is marked, making AWS Security Hub fail.

Describe alternatives you've considered
Disable control of this check in AWS Security Hub.

Additional context
image
@esacteksab
Copy link
Contributor

Hi @dverzolla, apologies for a delayed response. Digging into this a bit, looking here it shows that AWS Config does not support Service Linked Roles. Further down the page, there is a section for AWS Config

AWS Config

AWS Config supports resource-level permissions for multi-account multi-Region data aggregation and AWS Config Rules. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section and AWS Config Rules section of the [AWS Config API Guide](https://docs.aws.amazon.com/config/latest/APIReference/Welcome.html).

And looking at this guide on creating an aggregator, there is a comment that says

In the IAM console, attach the AWSConfigRoleForOrganizations managed policy to your IAM role. Attaching this policy allows AWS Config to call AWS Organizations DescribeOrganization, ListAWSServiceAccessForOrganization, and ListAccounts APIs. By default config.amazonaws.com is automatically specified as a trusted entity.

So the expectation according to the docs is you create a role or attach the managed policy to an existing role that you designate to be used for your aggregator. Which is what we do here.

So I'm really curious AWS Security Hub's findings here. They seem contradictory to their own documentation. We don't use Security Hub so any further light you could shine would be tremendously appreciated. Definitely interested in resolving compliance drivers.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@esacteksab @dverzolla