By using AWS re:Post, you agree to the Terms of Use

SecurityHub Access Denied because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action


I have SecurityHub setup in a central account but keep getting logs where its getting AccessDenied when trying to preform a config:GetComplianceDetailsByConfigRule on resources that security hub itself has setup. One example of the error is the following:

"eventSource": "",
    "eventName": "GetComplianceDetailsByConfigRule",
    "awsRegion": "eu-west-2",
    "sourceIPAddress": "",
    "userAgent": "",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::{accountID}:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: config:GetComplianceDetailsByConfigRule on resource: securityhub-s3-bucket-logging-enabled-1b6b206d because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action",
    "requestParameters": null,
    "responseElements": null,

Has anyone had this issue before and know of a fix to stop getting UnauthorizedAPICalls alerting?

1 Answers

You are missing permissions in AWSSecurityHubServiceRolePolicy.

See and

    "Effect": "Allow",
    "Action": [
    "Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
answered 14 days ago
  • Sorry probably should have included this in the question but we're using the "AWSServiceRoleForSecurityHub" which has the "AWSSecurityHubServiceRolePolicy" policy attached. This policy already includes the permissions you mentioned which is why I can't understand the errors.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions