Some SecurityHub Controls failed after LZA update

[bakharzy]

Is your feature request related to a problem? Please describe. I updated the LZA from version 1.3.2 to 1.5.1. After the update, there are some failed controls in SecurityHub related to LZA.

1. [S3 permissions granted to other AWS accounts in bucket policies should be restricted] Control ID: S3.6 Failed on S3 buckets related to LZA. In my case, there are 3 buckets with this naming: accel-assets-111111111111-regionName

2. [CloudWatch Alarms should have an action configured for the alarm state] Control ID: CloudWatch.15 Failed CloudWatch Alarm: AWSAcceleratorFailedAlarm This item was also failing in v1.3.2 of LZA. I manually added an action and it passed. However, after the update, the action is removed and the control is failing again.

Describe the feature you'd like The changes to the LZA should be aligned with SecurityHub Controls and best practices. For the least, the above failed controls should be addressed.

Additional context Unfortunately, it is not possible to disable controls on ControlTower via LZA. There is an existing bug in LZA which was not fixed in the latest update. Here is the report of the bug: https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/147

[erwaxler]

Hi @bakharzy , thanks for bringing this to our attention. Can you please share the standards configuration used in your environment so we can attempt to reproduce the issue? I only need this section:

standards:
- name: PCI DSS v3.2.1
  deploymentTargets:
   organizationalUnits:
    -  Root
  enable: true
  controlsToDisable:
    - Control1
    - Control2

[bakharzy]

Sure:

    standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        enable: true
        controlsToDisable:
          - IAM.1
          - EC2.10
          - Lambda.4
          - IAM.6
          - ECR.1
      - name: CIS AWS Foundations Benchmark v1.4.0
        enable: true
        controlsToDisable:
          - CIS.1.17
          - CIS.1.16
          - IAM.6
          - IAM.9
      - name: NIST Special Publication 800-53 Revision 5
        enable: true
        controlsToDisable:
          - IAM.6
          - IAM.9 
          - ECR.1

[erwaxler]

Thanks for adding that, I can confirm not all controls listed were disabled in my environment. I've created a ticket in the team's backlog to investigate this behavior further, I'll update this ticket accordingly.

[bakharzy]

@erwaxler Thanks for investigating the issue. Please note that the issue I reported is two folded. One: The LZA should support disabling some controls by adding the control IDs to the controlsToDisable:. You replicated this issue and already added it to backlog. This bug was also discussed here: https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/147 Two: The changes in LZA update, triggered some controls in SecurityHub. The controls are listed in my first comment. The controls are complaining about some deviation from best practices. This should be considered to resolve in the LZA development.

[bo1984]

Hi Mohammad, with your config I was able to replicate the issue that you were having, primarily with the CIS v1.4.0 security standard controls. For the CIS controls, we need to map the controls you specified to the correct control definition . So for your use case, I had to do the following:

• IAM.6: https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-6 This maps to CIS.1.14 according to documentation
• IAM.9: https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-9 This maps to CIS.1.13 according to documentation

This is the correct configuration:

- name: CIS AWS Foundations Benchmark v1.4.0
        enable: true
        controlsToDisable:
          - CIS.1.17
          - CIS.1.16
          - CIS.1.14
          - CIS.1.13

However, when the Security stack ran, it looks like the controls are still enabled by the describe-security-standards output:

{
            "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-foundations-benchmark/v/1.4.0/1.17",
            "ControlStatus": "ENABLED",
            "ControlStatusUpdatedAt": "2023-10-04T20:39:19.975000+00:00",
            "ControlId": "1.17",
            "Title": "Ensure a support role has been created to manage incidents with AWS Support",
            "Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.",
            "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.18/remediation",
            "SeverityRating": "LOW",
            "RelatedRequirements": [
                "CIS AWS Foundations Benchmark v1.4.0/1.17"
    ]
},
{
            "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-fo
undations-benchmark/v/1.4.0/1.17",
            "ControlStatus": "ENABLED",
            "ControlStatusUpdatedAt": "2023-10-04T20:39:19.975000+00:00",
            "ControlId": "1.17",
            "Title": "Ensure a support role has been created to manage incidents with AWS Support
",
            "Description": "AWS provides a support center that can be used for incident notificat
ion and response, as well as technical support and customer services. Create an IAM Role to allow
 authorized users to manage incidents with AWS Support.",
            "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.18/remediation
",
            "SeverityRating": "LOW",
            "RelatedRequirements": [
                "CIS AWS Foundations Benchmark v1.4.0/1.17"
    ]
},
{
            "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-fo
undations-benchmark/v/1.4.0/1.14",
            "ControlStatus": "ENABLED",
            "ControlStatusUpdatedAt": "2023-10-04T20:39:19.970000+00:00",
            "ControlId": "1.14",
            "Title": "Ensure access keys are rotated every 90 days or less",
            "Description": "Access keys consist of an access key ID and secret access key, which 
are used to sign programmatic requests that you make to AWS. AWS users need their own access keys
 to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windo
ws PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It 
is recommended that all access keys be regularly rotated.",
            "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.3/remediation"
,
            "SeverityRating": "MEDIUM",
            "RelatedRequirements": [
                "CIS AWS Foundations Benchmark v1.4.0/1.14"
    ]
},

Looking at the ControlId property, I see that the "CIS" prefix was not included, so I updated my config to the following:

- name: CIS AWS Foundations Benchmark v1.4.0
        enable: true
        controlsToDisable:
          - "1.17"
          - "1.16"
          - "1.14"
          - "1.13"

If you look at the same output as earlier, it now shows that the controls are disabled:

{
            "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-foundations-benchmark/v/1.4.0/1.14",
            "ControlStatus": "DISABLED",
            "DisabledReason": "Control disabled by Accelerator",
            "ControlStatusUpdatedAt": "2023-11-13T19:59:38.607000+00:00",
            "ControlId": "1.14",
            "Title": "Ensure access keys are rotated every 90 days or less",
            "Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to ma
ke programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommend
ed that all access keys be regularly rotated.",
            "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.3/remediation",
            "SeverityRating": "MEDIUM",
            "RelatedRequirements": [
                "CIS AWS Foundations Benchmark v1.4.0/1.14"
    ]
},
{
    "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-foundations-benchmark/v/1.4.0/1.16",
    "ControlStatus": "DISABLED",
    "DisabledReason": "Control disabled by Accelerator",
    "ControlStatusUpdatedAt": "2023-11-13T19:59:39.066000+00:00",
    "ControlId": "1.16",
    "Title": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached",
    "Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege 
-that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing fu
ll administrative privileges.",
    "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation",
    "SeverityRating": "HIGH",
    "RelatedRequirements": [
        "CIS AWS Foundations Benchmark v1.4.0/1.16"
    ]
},
{
    "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-foundations-benchmark/v/1.4.0/1.17",
    "ControlStatus": "DISABLED",
    "DisabledReason": "Control disabled by Accelerator",
    "ControlStatusUpdatedAt": "2023-11-13T19:59:41.013000+00:00",
    "ControlId": "1.17",
    "Title": "Ensure a support role has been created to manage incidents with AWS Support",
    "Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow autho
rized users to manage incidents with AWS Support.",
    "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.18/remediation",
    "SeverityRating": "LOW",
    "RelatedRequirements": [
        "CIS AWS Foundations Benchmark v1.4.0/1.17"
    ]
},

For the CIS 1.4.0 controls, can you try removing the "CIS" prefix. Please encapsulate the value in quotes as the accelerator will assume you're trying to pass in an integer instead of a string.

[bakharzy]

Thanks @bo1984 for investigating this issue. Before modifying the configurations, I have some questions:

• Based on the 2 links that you provided, the CIS.1.14 and CIS.1.13 are related to CIS AWS Foundations Benchmark v1.2.0 (not CIS AWS Foundations Benchmark v1.4.0). Should I still use 1.13 and 1.14 as in CIS AWS Foundations Benchmark v1.2.0/1.13 and CIS AWS Foundations Benchmark v1.2.0/1.14 ? Please check these attached screenshots:

• The second question is about the same controls in other standards/benchmarks. For example IAM.6 is common in all three standards that I am using. If I manage to successfully disable the control in CIS, what should be the expected behavior?

[bo1984]

Hi Mohammad, thanks for the correction, but yes in this case for IAM.6 and IAM.9, these controls would map to 1.6 and 1.5 in v1.4.0 of the CIS AWS Foundations Benchmark, respectively.

For your 2nd inquiry, say that you decide to disable IAM.6 in the Foundational Best Practices and CIS AWS Foundations Benchmark v.1.4.0, but don't disable the controls in the NIST 800-53 framework, you shouldn't see this control disabled for the latter. Please keep in mind that it takes roughly 24 hours for the control to show disabled in the Security Hub console. You'd be able to check if the control is enabled through the CLI via:

aws securityhub describe-standards-controls --standards-subscription-arn arn:aws:securityhub:us-east-1:[ACCOUNT ID HERE]:subscription/nist-800-53/v/5.0.0

[bakharzy]

Hi @bo1984 I make the changes as the following:

Results: Using the command aws securityhub describe-standards-controls --standards-subscription-arn shows that all those 4 controls are disabled. I ran the command for all three standards and in two different accounts (security account and another account). So far so good.

Observation in securityHub UI:

• The securityHub UI in security account shows that those 4 controls which are failing and are not listed in disabled section (securityHub -> Controls -> disabled list). This shows inconsistencies with the results reported above.
• The securityHub UI in the other account shows IAM.1 is failing and not disabled. The other 3 controls are in disabled list.

Additional observation: I ran another command in both accounts: aws securityhub batch-get-security-controls --region [REGION] --security-control-ids '["IAM.9", "IAM.6", "IAM.1", "IAM.18"]'. The output shows that IAM.1 is enabled and other 3 are disabled.

Expected:

• All disabled controls should also show as disabled in securityHub UI in security account.
• IAM.1 should be disabled when queried and not show as failed in any account. Currently failing in both security and other account.

[snemir2]

have very similar issue. As i am upgrading from lza 1.7.1 to 1.9.1, i am getting the following in the cloudtrail

My config is

 standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        enable: true
        controlsToDisable:
          - IAM.1
          - EC2.10
          - Lambda.4
      - name: PCI DSS v3.2.1
        enable: false
        controlsToDisable:
          - PCI.IAM.3
          - PCI.S3.3
          - PCI.EC2.3
          - PCI.Lambda.2
      - name: CIS AWS Foundations Benchmark v1.2.0
        enable: false
        controlsToDisable:
          - CIS.1.20
          - CIS.1.22
          - CIS.2.6

cloudtrail error

{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAUEV2XZ72YUEJ4NYY7:AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-WLpGYiZCDYyg",
        "arn": "arn:aws:sts::XXX:assumed-role/AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-12RO2J1JYR7PY/AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-WLpGYiZCDYyg",
        "accountId": "XXX",
        "accessKeyId": "ASIAUEV2XZ7276GMIQFV",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAUEV2XZ72YUEJ4NYY7",
                "arn": "arn:aws:iam::XXXX:role/AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-12RO2J1JYR7PY",
                "accountId": "XXXX",
                "userName": "AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-12RO2J1JYR7PY"
            },
            "attributes": {
                "creationDate": "2024-08-15T21:27:36Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2024-08-15T21:27:43Z",
    "eventSource": "securityhub.amazonaws.com",
    "eventName": "UpdateOrganizationConfiguration",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "3.137.167.98",
    "userAgent": "aws-sdk-nodejs/2.1379.0 linux/v18.20.4 exec-env/AWS_Lambda_nodejs18.x AwsSolution/SO0199/1.7.1 promise",
    "errorCode": "InvalidInputException",
    "requestParameters": {
        "AutoEnable": true
    },
    "responseElements": {
        "Type": "InvalidInputException",
        "RequestId": "9e288a01-f33c-4335-9cb9-ae9e6e01ab7e",
        "Message": "Auto Enable and AutoEnableStandards can not be enabled for Central Configuration",
        "Code": "InvalidInputException"
    },
    "requestID": "1fdb33e9-0164-4bf3-9c19-92bc3f618a14",
    "eventID": "4a267697-c696-43d3-b81d-ca8e3d89c8cd",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "XXXX",
    "eventCategory": "Management"
}

[richardkeit]

FYI @snemir2 , given the central config is NOT yet supported - may find the fix would have to wait for it

https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/505#issuecomment-2203180978

Hopefully the feature is expedited