Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Can't change the configuration from local to central from the delegated administrator account for sechub #38043

Closed
ramongalate opened this issue Jun 19, 2024 · 3 comments
Closed

[Bug]: Can't change the configuration from local to central from the delegated administrator account for sechub #38043

ramongalate opened this issue Jun 19, 2024 · 3 comments
Labels
bug Addresses a defect in current functionality. service/securityhub Issues and PRs that pertain to the securityhub service.

Comments

@ramongalate
Copy link

ramongalate commented Jun 19, 2024
edited by justinretzolk
Loading

Terraform Core Version

= 1.3.0

AWS Provider Version

5.41.0

Affected Resource(s)

I have recently started configuring security hub centrally and I have set up an administrator account from the management account.
The security hub account is working properly with the local configuration, I can set up automations and do other tasks using a role I created from the sechub account that gives the role the following permission:

statement {
    sid = "FirewallAdministratorWriteAccess"
    actions = [
      "securityhub:*"
    ]
    resources = ["*"]
    effect    = "Allow"
  }

But when I try and add this from the delegated admin account :

resource "aws_securityhub_finding_aggregator" "this" {
  linking_mode = "ALL_REGIONS"
}

resource "aws_securityhub_organization_configuration" "this" {
  auto_enable           = false
  auto_enable_standards = "NONE"
  organization_configuration {
    configuration_type = "CENTRAL"
  }

  depends_on = [aws_securityhub_finding_aggregator.this]
}

The aggregator works, but the configuration gives the error :


│ Error: updating Security Hub Organization Configuration (------): operation error SecurityHub: UpdateOrganizationConfiguration, https response error StatusCode: 403, RequestID: 32959520-5dde-41d4-a8b4-a2248211b863, AccessDeniedException: You don't have permissions to access this resource.

│   with module.sechub_standards_config.aws_securityhub_organization_configuration.this,
│   on modules/sechubStandardsConfig/main.tf line 60, in resource "aws_securityhub_organization_configuration" "this":
│   60: resource "aws_securityhub_organization_configuration" "this" {

Do you have any idea as to why this could be happening?

Expected Behavior

It should have let me modify our configuration from local to central.

Actual Behavior

Does not let me create the resource and gives a 403 error as bellow.

Relevant Error/Panic Output Snippet


│ Error: updating Security Hub Organization Configuration (delegated admin account id): operation error SecurityHub: UpdateOrganizationConfiguration, https response error StatusCode: 403, RequestID: 32959520-5dde-41d4-a8b4-a2248211b863, AccessDeniedException: You don't have permissions to access this resource.

│   with module.sechub_standards_config.aws_securityhub_organization_configuration.this,
│   on modules/sechubStandardsConfig/main.tf line 60, in resource "aws_securityhub_organization_configuration" "this":
│   60: resource "aws_securityhub_organization_configuration" "this" {

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.41.0"
    }
  }
  required_version = ">= 1.3.0"
}

Steps to Reproduce

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.41.0"
    }
  }
  required_version = ">= 1.3.0"
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@ramongalate ramongalate added the bug Addresses a defect in current functionality. label Jun 19, 2024
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/securityhub Issues and PRs that pertain to the securityhub service. label Jun 19, 2024
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Jun 19, 2024
@justinretzolk
Copy link
Member

Hey @ramongalate 👋 Thank you for taking the time to raise this! We use Issues in this repository to track feature enhancements and bugs in the AWS Provider. To maintain that, we ask that broader questions are raised using one of the Community Resources, such as the AWS Provider forum. With that in mind, I'm going to close this issue, but would be remiss if I didn't mention that it appears that the issue is related to the permissions of the credentials being used to authenticate the provider:

AccessDeniedException: You don't have permissions to access this resource.

@github-actions GitHub Actions
Copy link

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

@terraform-aws-provider terraform-aws-provider bot removed the needs-triage Waiting for first response or review from a maintainer. label Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/securityhub Issues and PRs that pertain to the securityhub service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@justinretzolk @ramongalate