aws config conformance pack deployment failure in gov cloud us-west-1 region

Question

Hi
I am trying to deploy the aws conformance packs for cmmc and nist etc in us-west-1 gov cloud and receiving numerous errors below. 
wondering if there are limitation on using conformance packs in gov cloud or are there any custom templates available for the same to implement in gov cloud.
below are the errors
The sourceIdentifier ROOT_ACCOUNT_HARDWARE_MFA_ENABLED is invalid. Please refer to the documentation for a list of valid sourceIdentifiers that can be used when AWS is the Owner. (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 096f3323-178d-4d99-9724-6ad2cc427978; Proxy: null)

he sourceIdentifier OPENSEARCH_IN_VPC_ONLY is invalid. Please refer to the documentation for a list of valid sourceIdentifiers that can be used when AWS is the Owner. (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 70d48258-72e0-4700-af6b-14e4c8d7a45b; Proxy: null)

The sourceIdentifier OPENSEARCH_ENCRYPTED_AT_REST is invalid. Please refer to the documentation for a list of valid sourceIdentifiers that can be used when AWS is the Owner. (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 8bf02e8b-7f70-4a97-be93-76b30ee34d87; Proxy: null)

Answer

Hello,

The reason why the deployment is failing is that **"ROOT_ACCOUNT_HARDWARE_MFA_ENABLED"**, **"OPENSEARCH_IN_VPC_ONLY"** and **"OPENSEARCH_ENCRYPTED_AT_REST"** AWS managed config rules are not supported in the **us-west-1 GovCloud** region. If unsupported AWS managed config rules are referred in the conformance pack, the deployment fails.

It is required that the sample templates are modified to include only the rules that are available in GovCloud to successfully deploy the conformance pack.

[+] Conformance Pack sample templates -
https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html

The list of managed config rules which are currently supported in GovCloud regions can be referenced from the below links -

[+] AWS GovCloud (US-East) Region -https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html#aws-govcloud-us-east-section-head

[+] AWS GovCloud (US-West) Region -https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html#aws-govcloud-us-west-section-head

Regards,

Suryansh

aws config conformance pack deployment failure in gov cloud us-west-1 region

관련 콘텐츠