Solution fails [StepFunctions.1] Security Hub control

aws-solutions / aws-control-tower-customizations

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.

https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html

Apache License 2.0

354 stars 205 forks source link

Solution fails [StepFunctions.1] Security Hub control #185

Open steve-g-nz opened 4 months ago

steve-g-nz commented 4 months ago

The template as currently provided fails the StepFunction.1 Security Hub control

Please update the custom-control-tower-initiation.template to include the following:

a CloudWatch log group resource
execution role updated to include relevant logs IAM policies
LoggingConfiguration property added to the two StepFunction StateMachine resources

Additional context StepFunctions.1

snebhu3 commented 4 months ago

@steve-g-nz thank you for reaching out. Please may you provide more context on:

What you are trying to do and what is the issue you are facing.
Steps to reproduce the issue you are facing

steve-g-nz commented 4 months ago

@snebhu3 the template as documented deploys step functions that fail the Security Hub control StepFunctions.1 which is part of the AWS Foundational Security Best Practices v1.0.0 standard To prevent the control from failing the template would need to include logging for the state machines which would require the addition of a Cloudwatch log group and adding the relevant IAM permissions to the execution role

snebhu3 commented 4 months ago

Thank you for the additional context. I have created an internal backlog to address this.