By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SecurityHub Access Denied because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action

0

I have SecurityHub setup in a central account but keep getting logs where its getting AccessDenied when trying to preform a config:GetComplianceDetailsByConfigRule on resources that security hub itself has setup. One example of the error is the following:

"eventSource": "config.amazonaws.com",
    "eventName": "GetComplianceDetailsByConfigRule",
    "awsRegion": "eu-west-2",
    "sourceIPAddress": "securityhub.amazonaws.com",
    "userAgent": "securityhub.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::{accountID}:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: config:GetComplianceDetailsByConfigRule on resource: securityhub-s3-bucket-logging-enabled-1b6b206d because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action",
    "requestParameters": null,
    "responseElements": null,

Has anyone had this issue before and know of a fix to stop getting UnauthorizedAPICalls alerting?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Security HubAWS ConfigAWS CloudTrail
Language
English
Alex
asked 2 years ago595 views
1 Answer
0

You are missing permissions in AWSSecurityHubServiceRolePolicy.

See https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/ and https://docs.aws.amazon.com/securityhub/latest/userguide/using-service-linked-roles.html

{
    "Effect": "Allow",
    "Action": [
         "config:PutConfigRule",
         "config:DeleteConfigRule",
         "config:GetComplianceDetailsByConfigRule",
         "config:DescribeConfigRuleEvaluationStatus"
    ],
    "Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
}
AWS
Mike_O
answered 2 years ago
  • Alex
    2 years ago

    Sorry probably should have included this in the question but we're using the "AWSServiceRoleForSecurityHub" which has the "AWSSecurityHubServiceRolePolicy" policy attached. This policy already includes the permissions you mentioned which is why I can't understand the errors.

  • rePost-User-8781083
    2 years ago

    I'm seeing the same issue as the author. We've enabled AWS Security Hub, Security Hub is using the AWSServiceRoleForSecurityHub policy, and it has the linked policy that gives it "config:GetComplianceDetailsByConfigRule" on "arn:aws:config:::config-rule/aws-service-rule/securityhub".

    We're seeing the same error as the author, but on the securityhub-s3-bucket-public-read-prohibited-${id} rule.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content