mtaki22
commented
6 months ago - The added standards are now active across all accounts as a result of an unrelated change 'Adding AWS Configure rule'. This change caused an update to the stack "PBMMAccel-Dev-phase3", which led to enabling the added standards.
- In summary, although the issue has been resolved, the abnormal behavior is that the CloudFormation stack 'PBMMAccel-Dev-Phase3' update was not triggered by the addition or removal of Security Hub standards in the configuration file.
Bug reports which fail to provide the required information will be closed without action.
Required Basic Info
Describe the bug Activating Security Hub standards (CIS Benchmark 1.4.0 and NIST 800-53) failed on all workload accounts, except core accounts (Security, Operations,.)
Failure Info No errors in logs. After adding the Security standards, the SM runs successfully. However, in the workload accounts, the Cloudformation stack "ASEA-Account-Phase3" is not getting updated and the Lambda function '/aws/lambda/ASEA-Account-Phase3-CustomSecurityHubEnableLambdaxxxxx' is not getting invoked when the SM is executed.
The SM was executed twice to enable the standards: the first time without the “controls-to-disable” and the second time with empty “controls-to-disable ”. .
Required files SH-additional-standards.json The full config file will be attached asap.
Steps To Reproduce
Expected behavior Ensure that the new standards become active on all accounts (Core accounts and members).
Screenshots
Additional context The same behavior was not reproduced in other test environments running the same version. The behavior is unusual because the new SH standards are activated only on a specific set of accounts (the core accounts). We tried to disable one of the active standards (CIS benchmark 1.2.0), it was deactivated only on the core accounts.