You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After running the script I was find a lot of Critical findings in status "Warning".
Attempting to view the rule related to the finding in the console took me to an empty rule definition page and/or errors in Config. Further investigation shows the rules don't even exist in Config.
I suspect this is because the script does not wait for Config to be enabled before enabling Security Hub. So SH thinks it has created the rule for the finding but the rule does not exist.
The only way to fix this is to disable/enable the standards.
eg :
If you don't do this, some of your findings will be forever in the broken state and you will never get a pass/fail.
I think the script needs to handle enabling config better by waiting for it.
Perhaps at the end of check_config a loop checking config.describe_configuration_recorder_status()['ConfigurationRecordersStatus'][0]['recording'] before exiting the function.
The text was updated successfully, but these errors were encountered:
After running the script I was find a lot of Critical findings in status "Warning".
Attempting to view the rule related to the finding in the console took me to an empty rule definition page and/or errors in Config. Further investigation shows the rules don't even exist in Config.
I suspect this is because the script does not wait for Config to be enabled before enabling Security Hub. So SH thinks it has created the rule for the finding but the rule does not exist.
The only way to fix this is to disable/enable the standards.
eg :
AWS foundation should have a lot more rules than that!
So, lets disable and wait for it ....
Wait a few minutes and then another minute :
Finally all the rules are gone. Re-enable the standard :
If you don't do this, some of your findings will be forever in the broken state and you will never get a pass/fail.
I think the script needs to handle enabling config better by waiting for it.
Perhaps at the end of check_config a loop checking
config.describe_configuration_recorder_status()['ConfigurationRecordersStatus'][0]['recording']
before exiting the function.The text was updated successfully, but these errors were encountered: