1 Answer
- Newest
- Most votes
- Most comments
0
You are missing permissions in AWSSecurityHubServiceRolePolicy.
See https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/ and https://docs.aws.amazon.com/securityhub/latest/userguide/using-service-linked-roles.html
{
"Effect": "Allow",
"Action": [
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeConfigRuleEvaluationStatus"
],
"Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
}
answered 2 years ago
Relevant content
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 10 months ago
Sorry probably should have included this in the question but we're using the "AWSServiceRoleForSecurityHub" which has the "AWSSecurityHubServiceRolePolicy" policy attached. This policy already includes the permissions you mentioned which is why I can't understand the errors.
I'm seeing the same issue as the author. We've enabled AWS Security Hub, Security Hub is using the AWSServiceRoleForSecurityHub policy, and it has the linked policy that gives it "config:GetComplianceDetailsByConfigRule" on "arn:aws:config:::config-rule/aws-service-rule/securityhub".
We're seeing the same error as the author, but on the securityhub-s3-bucket-public-read-prohibited-${id} rule.