search

aws-solutions / automated-security-response-on-aws

Automated Security Response on AWS is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. The solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.
https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/
Apache License 2.0
391 stars 109 forks source link

ERROR enabling AWS Config: An error occurred (NoSuchConfigurationRecorderException) when calling the StartConfigurationRecorder operation: The name of the configuration recorder you entered cannot be found. Verify the configuration recorder name, and try again. #209

Closed gvasquez95 closed 3 hours ago

gvasquez95 commented 4 hours ago

Describe the bug

I've found this error in SSM automation log, when trying to remediate the finding AWS Config should be enabled and use the service-linked role for resource recording

BTW: Step functions ends with "Remediation Succeeded" status, it does not report the failed SSM automation

To Reproduce

Select the referenced finding in Security Hub, and from the actions drop down menu select Remediate with ASR

Failure arises from Step 4: EnableConfig of the Workflow.

Trace:

Traceback (most recent call last):
  File "/tmp/cb5dbf38-7602-4162-94e3-244c001a7a2f-2024-11-05-18-27-58/customer_script.py", line 78, in start_recorder
    cfgsvc.start_configuration_recorder(ConfigurationRecorderName="default")
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 565, in _api_call
    return self._make_api_call(operation_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 1021, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.NoSuchConfigurationRecorderException: An error occurred (NoSuchConfigurationRecorderException) when calling the StartConfigurationRecorder operation: The name of the configuration recorder you entered cannot be found. Verify the configuration recorder name, and try again.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/tmp/cb5dbf38-7602-4162-94e3-244c001a7a2f-2024-11-05-18-27-58/customer_script.py", line 92, in enable_config
    start_recorder()
  File "/tmp/cb5dbf38-7602-4162-94e3-244c001a7a2f-2024-11-05-18-27-58/customer_script.py", line 80, in start_recorder
    exit(f"ERROR enabling AWS Config: {str(e)}")
  File "<frozen _sitebuiltins>", line 26, in __call__
SystemExit: ERROR enabling AWS Config: An error occurred (NoSuchConfigurationRecorderException) when calling the StartConfigurationRecorder operation: The name of the configuration recorder you entered cannot be found. Verify the configuration recorder name, and try again.

SystemExit - ERROR enabling AWS Config: An error occurred (NoSuchConfigurationRecorderException) when calling the StartConfigurationRecorder operation: The name of the configuration recorder you entered cannot be found. Verify the configuration recorder name, and try again.

Expected behavior

AWS Config should be enabled and the finding suppressed

Please complete the following information about the solution:

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0". You can also find the version from releases

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

gvasquez95 commented 4 hours ago

I've retried the remediation now that I'm subscribed to the SNS topic and I got this message:

{
  "severity": "ERROR",
  "message": "d17e465c-27c8-4b4b-b75d-acb24355fd1d: Remediation failed for SC control Config.1 in account 984845208087: See Automation Execution output for details (AwsAccount AWS::::Account:XXXXXXXXXXXX)",
  "finding": {
    "finding_id": "140ea7cc-6941-4ed0-8e48-8d68215741de",
    "finding_description": "This control checks whether AWS Config is enabled in your account in the current AWS Region, records all resources that correspond to controls that are enabled in the current Region, and uses the service-linked AWS Config role.",
    "standard_name": "security-control",
    "standard_version": "2.0.0",
    "standard_control": "Config.1",
    "title": "AWS Config should be enabled and use the service-linked role for resource recording",
    "region": "us-east-1",
    "account": "XXXXXXXXXXXX",
    "finding_arn": "arn:aws:securityhub:us-east-1:XXXXXXXXXXXX:security-control/Config.1/finding/140ea7cc-6941-4ed0-8e48-8d68215741de"
  }
}