En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

SecurityHub Access Denied because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action

0

I have SecurityHub setup in a central account but keep getting logs where its getting AccessDenied when trying to preform a config:GetComplianceDetailsByConfigRule on resources that security hub itself has setup. One example of the error is the following:

"eventSource": "config.amazonaws.com",
    "eventName": "GetComplianceDetailsByConfigRule",
    "awsRegion": "eu-west-2",
    "sourceIPAddress": "securityhub.amazonaws.com",
    "userAgent": "securityhub.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::{accountID}:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: config:GetComplianceDetailsByConfigRule on resource: securityhub-s3-bucket-logging-enabled-1b6b206d because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action",
    "requestParameters": null,
    "responseElements": null,

Has anyone had this issue before and know of a fix to stop getting UnauthorizedAPICalls alerting?

Sujets
Sécurité, identité et conformitéGestion et gouvernance
Balises
Sécurité, identité et conformitéHub de sécurité AWSAWS ConfigAWS CloudTrail
Langue
English
Alex
demandé il y a 2 ans604 vues
1 réponse
0

You are missing permissions in AWSSecurityHubServiceRolePolicy.

See https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/ and https://docs.aws.amazon.com/securityhub/latest/userguide/using-service-linked-roles.html

{
    "Effect": "Allow",
    "Action": [
         "config:PutConfigRule",
         "config:DeleteConfigRule",
         "config:GetComplianceDetailsByConfigRule",
         "config:DescribeConfigRuleEvaluationStatus"
    ],
    "Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
}
AWS
Mike_O
répondu il y a 2 ans
  • Alex
    il y a 2 ans

    Sorry probably should have included this in the question but we're using the "AWSServiceRoleForSecurityHub" which has the "AWSSecurityHubServiceRolePolicy" policy attached. This policy already includes the permissions you mentioned which is why I can't understand the errors.

  • rePost-User-8781083
    il y a 2 ans

    I'm seeing the same issue as the author. We've enabled AWS Security Hub, Security Hub is using the AWSServiceRoleForSecurityHub policy, and it has the linked policy that gives it "config:GetComplianceDetailsByConfigRule" on "arn:aws:config:::config-rule/aws-service-rule/securityhub".

    We're seeing the same error as the author, but on the securityhub-s3-bucket-public-read-prohibited-${id} rule.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents