Multi-Account multi-region setup - Failing ap-south-2 region

[pitkanenjesse]

Describe the bug

We run a multi-account/region kind of setup with the Administrator centralized in one account, we deploy thru CfCT, we already had us-east-1 us-east-2 ap-south-1 and other regions enabled, when we enabled region ap-south-2, we got an error in the "Get Automation Document State" only in this region. To isolate roles and permission issues, we created a dummy Lambda using the same role Administrator and Member cross-account, and we were able to Get the document. I believe the issue its somewhere in the layer when passing the arguments to awsapi_cached_client.py BotoSession. We updated the whole solution to 2.0.2 to be sure everything its up-to-date and in sync.

The error is "An unhandled client error ocurred: UnrecognizedClientException"

To Reproduce

Centralized setup running on us-east-1, try to run any automation for any control thru Security Hub automation on ap-south-2 region.

Invoking the lambda manually passing any other "Region" argument works fine.

Expected behavior

The Get Document State step and whole solution to run without errors on ap-south-2

Please complete the following information about the solution:

• [x] Version: 2.0.2

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0". You can also find the version from releases

• [x] Region: ap-south-2
• [ ] Was the solution modified from the version published on this repository? No
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [x] Have you checked your service quotas for the sevices this solution uses? Yes
• [ ] Were there any errors in the CloudWatch Logs? Troubleshooting Tried to add several print to the solution but without luck

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

[tmekari]

Hi @pitkanenjesse, I can confirm that this should be fixed in our next release. We've addressed a bug regarding remediations not being able to execute in opt-in regions that I believe should extend to your issue here. Thank you for your detailed explanation and for using our solution.

[pitkanenjesse]

Hi @tmekari , any estimates for when this release will be available?

[kroeter]

Hi @pitkanenjesse - This release is scheduled for late Q1 or early Q2, i'll provide an update on this thread once its out.