SecurityHub Access Denied because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action

Question

I have SecurityHub setup in a central account but keep getting logs where its getting AccessDenied when trying to preform a config:GetComplianceDetailsByConfigRule on resources that security hub itself has setup. One example of the error is the following:

```
"eventSource": "config.amazonaws.com",
    "eventName": "GetComplianceDetailsByConfigRule",
    "awsRegion": "eu-west-2",
    "sourceIPAddress": "securityhub.amazonaws.com",
    "userAgent": "securityhub.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::{accountID}:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: config:GetComplianceDetailsByConfigRule on resource: securityhub-s3-bucket-logging-enabled-1b6b206d because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action",
    "requestParameters": null,
    "responseElements": null,
```

Has anyone had this issue before and know of a fix to stop getting UnauthorizedAPICalls alerting?

Answer

You are missing permissions in AWSSecurityHubServiceRolePolicy.

See https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/ and https://docs.aws.amazon.com/securityhub/latest/userguide/using-service-linked-roles.html
```
{
    "Effect": "Allow",
    "Action": [
         "config:PutConfigRule",
         "config:DeleteConfigRule",
         "config:GetComplianceDetailsByConfigRule",
         "config:DescribeConfigRuleEvaluationStatus"
    ],
    "Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
}
```

SecurityHub Access Denied because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action

관련 콘텐츠