SecurityAudit phase in the build is throwing InvalidAccessException: Account xxxx is not an administrator for this organization

zaid-themedcompany commented 7 months ago

Describe the bug When I run the Accelerator pipeline, it fails under SecurityAudit with the following :

Stack AWSAccelerator-SecurityAuditStack-xxxxx-eu-west-3
logical Id failure SecurityHubMembersxxxxx
Status reason: Received response status [FAILED] from custom resource. Message returned: InvalidAccessException: Account xxxx is not an administrator for this organization at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:61:27) at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:61:8) at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12) at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9) at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12) (RequestId: d03045f4-4e51-42c5-95fe-32657237486e)

security-config.xml excerpt

homeRegion: &HOME_REGION eu-west-1
centralSecurityServices:
  ##################################################################################################################
  # Based upon AWS Security Reference Architecture (AWS SRA),                                                      #
  # Assigning delegated administrator to security tooling (Audit) account                                          #
  # https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html #
  ##################################################################################################################
  delegatedAdminAccount: Audit
  ebsDefaultVolumeEncryption:
    enable: true
    excludeRegions: []
  s3PublicAccessBlock:
    enable: true
    excludeAccounts: []
  scpRevertChangesConfig:
    enable: true
    snsTopicName: Security
  macie:
    enable: true
    excludeRegions: []
    policyFindingsPublishingFrequency: FIFTEEN_MINUTES
    publishSensitiveDataFindings: true
  guardduty:
    enable: true
    excludeAccounts:
      - 992382814739
    excludeRegions: []
    s3Protection:
      enable: true
      excludeRegions: []
    lambdaProtection:
      enable: true
      excludeRegions: []
    exportConfiguration:
      enable: true
      overrideExisting: true
      destinationType: S3
      exportFrequency: FIFTEEN_MINUTES
  auditManager:
    enable: true
    excludeRegions:
      - eu-west-3
    defaultReportsConfiguration:
      enable: true
      destinationType: S3
    lifecycleRules:
      - enabled: true
        abortIncompleteMultipartUpload: 7
        expiration: 1000
        noncurrentVersionExpiration: 1000

To Reproduce I tried to run it few times and it keeps failing

Expected behavior It should pass

Please complete the following information about the solution:

[ x] Version: [e.g. v1.6.1]

To get the version of the solution, you can look at the description of the created AWS CloudFormation stack used to install the LZA (AWSAccelerator-InstallerStack). For example, "(SO0199) Landing Zone Accelerator on AWS. Version 1.5.1.". If the description does not contain the version information, you can look at the Parameters of the stack for the RepositoryBranchName as that should contain the version number.

[x] Region: eu-west-3
[ ] Was the solution modified from the version published on this repository?
[ ] If the answer to the previous question was yes, are the changes available on GitHub?
[ ] Have you checked your service quotas for the services this solution uses?
[ ] Were there any errors in the CloudWatch Logs?

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

zaid-themedcompany commented 7 months ago

CloudFormation - Stack AWSAccelerator-SecurityAuditStack-bug

bo1984 commented 7 months ago

Hello Zaid! Thank you for using the Landing Zone Accelerator on AWS solution. We've seen this issue before when the delegated admin account had already been set for the AWS Organization. In your Management account, for SecurityHub, does it show the delegated admin account being set for the Audit account?

zaid-themedcompany commented 7 months ago

Spot on @bo1984 ! The Delegated Admin account for the Security Hub (in the management account, for the same region) was not set! I did set it manually to the Audit Account and everything worked perfectly afterwards, thank you! I am closing the issue

awslabs / landing-zone-accelerator-on-aws

SecurityAudit phase in the build is throwing InvalidAccessException: Account xxxx is not an administrator for this organization #413