Re-Enabling Securityhub causes AccessDeniedException in child accounts

[OllionDavidCunliffe]

I originally enabled security hub controls in my environment. When attempting to add a new account I was met with the same error as I'm receiving now. I went into the security account and disabled the security hub controls and the pipeline works fine. As soon as I attempt to add security hub back without the controls the same issue persists in LZA.

To Reproduce Edit Security-Config.yml

securityHub:
    enable: true <- set from true to false and back
    regionAggregation: true
    excludeRegions: []
    standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        enable: false
        controlsToDisable:
          - IAM.1
          - EC2.10
          - Lambda.4
      - name: PCI DSS v3.2.1
        enable: false
        controlsToDisable:
          - PCI.IAM.3
          - PCI.S3.3
          - PCI.EC2.3
          - PCI.Lambda.2
      - name: CIS AWS Foundations Benchmark v1.4.0
        enable: false
        controlsToDisable:
          - CIS.1.17
          - CIS.1.16
      - name: NIST Special Publication 800-53 Revision 5
        enable: false
        controlstoDisable: []

Expected behavior Enable feature and apply controls against all accounts within the organization.

Please complete the following information about the solution:

• [v1.6.0] Version: [e.g. v1.5.1]

To get the version of the solution, you can look at the description of the created AWS CloudFormation stack used to install the LZA (AWSAccelerator-InstallerStack). For example, "(SO0199) Landing Zone Accelerator on AWS. Version 1.5.1.". If the description does not contain the version information, you can look at the Parameters of the stack for the RepositoryBranchName as that should contain the version number.

• [ us-east-1 && us-west-1 ] Region: [e.g. us-east-1]
• [ NO ] Was the solution modified from the version published on this repository?
• [ NA ] If the answer to the previous question was yes, are the changes available on GitHub?
• [ YES ] Have you checked your service quotas for the services this solution uses?
• [ Similar response ] Were there any errors in the CloudWatch Logs?

Screenshots From Security Audit stage:

Failed resources: AWSAccelerator-SecurityAuditStack-xxx-us-west-1 | 11:22:09 PM | CREATE_FAILED | Custom::SecurityHubCreateMembers | SecurityHubMembers/Resource/Default (SecurityHubMembers2A2B77C4) Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: Account xxx is managed by a configuration policy

AWSAccelerator-SecurityAuditStack-xxx-us-west-1 failed: Error: The stack named AWSAccelerator-SecurityAuditStack-xxx-us-west-1 failed to deploy: UPDATE_ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: Account xxx is managed by a configuration policy

Deployment failed: Error: The stack named AWSAccelerator-SecurityAuditStack-xxx-us-west-1 failed to deploy: UPDATE_ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: Account xxx is managed by a configuration policy

2024-01-22 23:22:44.556 | error | toolkit | The stack named AWSAccelerator-SecurityAuditStack-xxx-us-west-1 failed to deploy: UPDATE_ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: Account xxx is managed by a configuration policy

[bo1984]

Hi @2Wdavidcunliffe , thank you for using the Landing Zone Accelerator on AWS (LZA) solution. In the Management account, can you verify if trusted access is enabled for Security Hub in the Organization console? Additionally, are you using any custom configuration policies within Security Hub?

[OllionDavidCunliffe]

Sorry for the delay @bo1984. Trusted access is enabled under the services for the Organization.