By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

aws config conformance pack deployment failure in gov cloud us-west-1 region

0

Hi I am trying to deploy the aws conformance packs for cmmc and nist etc in us-west-1 gov cloud and receiving numerous errors below. wondering if there are limitation on using conformance packs in gov cloud or are there any custom templates available for the same to implement in gov cloud. below are the errors The sourceIdentifier ROOT_ACCOUNT_HARDWARE_MFA_ENABLED is invalid. Please refer to the documentation for a list of valid sourceIdentifiers that can be used when AWS is the Owner. (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 096f3323-178d-4d99-9724-6ad2cc427978; Proxy: null)

he sourceIdentifier OPENSEARCH_IN_VPC_ONLY is invalid. Please refer to the documentation for a list of valid sourceIdentifiers that can be used when AWS is the Owner. (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 70d48258-72e0-4700-af6b-14e4c8d7a45b; Proxy: null)

The sourceIdentifier OPENSEARCH_ENCRYPTED_AT_REST is invalid. Please refer to the documentation for a list of valid sourceIdentifiers that can be used when AWS is the Owner. (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 8bf02e8b-7f70-4a97-be93-76b30ee34d87; Proxy: null)

Topics
Management & Governance
Tags
AWS Config
Language
English
hs-aws
asked 6 months ago275 views
1 Answer
2

Hello,

The reason why the deployment is failing is that "ROOT_ACCOUNT_HARDWARE_MFA_ENABLED", "OPENSEARCH_IN_VPC_ONLY" and "OPENSEARCH_ENCRYPTED_AT_REST" AWS managed config rules are not supported in the us-west-1 GovCloud region. If unsupported AWS managed config rules are referred in the conformance pack, the deployment fails.

It is required that the sample templates are modified to include only the rules that are available in GovCloud to successfully deploy the conformance pack.

[+] Conformance Pack sample templates - https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html

The list of managed config rules which are currently supported in GovCloud regions can be referenced from the below links -

[+] AWS GovCloud (US-East) Region -https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html#aws-govcloud-us-east-section-head

[+] AWS GovCloud (US-West) Region -https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html#aws-govcloud-us-west-section-head

Regards,

Suryansh

AWS
Suryansh S
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content