search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
512 stars 399 forks source link

Pipeline times out at AuditManagerEnableOrganizationAdminAccount on eu-west-3 #416

Open zaid-themedcompany opened 4 months ago

zaid-themedcompany commented 4 months ago

Describe the bug When running LZA for healthcare configuration here and I deploy the solution to eu-west-3 (Paris) then the AWSAccelerator-Pipeline fails in the Organization stage and stack AWSAccelerator-OrganizationsStack-xxxxx-eu-west-3 runs till it times out, and fails to create logical Id AuditManagerEnableOrganizationAdminAccount

Is this happening config used for lza healthcare required Audit manager service which isn't available in Paris eu-west-3?

To Reproduce Run the lza with the healthcare configuration (excerpt below)

##################################################################################################################
# For additional configurable services, features, and property descriptions,                                     #
# please review our network configuration reference in our README.md:                                            #
# https://awslabs.github.io/landing-zone-accelerator-on-aws/classes/_aws_accelerator_config.SecurityConfig.html  #
##################################################################################################################

homeRegion: &HOME_REGION us-east-1
centralSecurityServices:
  ##################################################################################################################
  # Based upon AWS Security Reference Architecture (AWS SRA),                                                      #
  # Assigning delegated administrator to security tooling (Audit) account                                          #
  # https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html #
  ##################################################################################################################
  delegatedAdminAccount: Audit
  ebsDefaultVolumeEncryption:
    enable: true
    excludeRegions: []
  s3PublicAccessBlock:
    enable: true
    excludeAccounts: []
  scpRevertChangesConfig:
    enable: true
    snsTopicName: Security
  macie:
    enable: true
    excludeRegions: []
    policyFindingsPublishingFrequency: FIFTEEN_MINUTES
    publishSensitiveDataFindings: true
  guardduty:
    enable: true
    excludeRegions: []
    s3Protection:
      enable: true
      excludeRegions: []
    exportConfiguration:
      enable: true
      overrideExisting: true
      destinationType: S3
      exportFrequency: FIFTEEN_MINUTES
  auditManager:
    enable: true
    excludeRegions: []
    defaultReportsConfiguration:
      enable: true
      destinationType: S3
    lifecycleRules:
      - enabled: true
        abortIncompleteMultipartUpload: 7
        expiration: 1000
        noncurrentVersionExpiration: 1000
  detective:
    enable: false
    excludeRegions: []
  ##################################################################################################################
  # AWS Security Hub Configurations                                                                                #
  ##################################################################################################################
  securityHub:
    enable: true
    regionAggregation: true
    excludeRegions: []
    standards:

Expected behavior It should pass and the AWSAccelerator-Pipeline finishes successfully

Please complete the following information about the solution:

Screenshots

CloudFormation - error_enabling_audit_manager

Additional context

zaid-themedcompany commented 4 months ago

Also deleting the stack takes ages, I suppose again because there is no AWS Audit manager in eu-west-3? CloudFormation - deleting_failed_Stack

zaid-themedcompany commented 4 months ago

I tried a workaround to exclude Paris region from the audit Manager in security-config.yaml, but no luck: 

  auditManager:
    enable: true
    excludeRegions:
      - eu-west-3

I also tried exclude Paris from the awsConfig using the following:

awsConfig:
  excludeRegions:
    - eu-west-3

But got the following error in the pipeline in Security_Resources stage and the stack AWSAccelerator-SecurityResourcesStack-xxxxx-eu-west-3

"Invalid request provided: NoAvailableConfigurationRecorder"

CloudFormation - Stack AWSAccelerator-SecurityResourcesStack-eu-west-3 2024-03-07 14-08-05

ye-yng commented 3 months ago

I tried a workaround to exclude Paris region from the audit Manager in security-config.yaml, but no luck:

  auditManager:
    enable: true
    excludeRegions:
      - eu-west-3

I also tried exclude Paris from the awsConfig using the following:

awsConfig:
  excludeRegions:
    - eu-west-3

But got the following error in the pipeline in Security_Resources stage and the stack AWSAccelerator-SecurityResourcesStack-xxxxx-eu-west-3

"Invalid request provided: NoAvailableConfigurationRecorder"

CloudFormation - Stack AWSAccelerator-SecurityResourcesStack-eu-west-3 2024-03-07 14-08-05

I can't say regarding the main issue, but we also ran into the NoAvailableConfigurationRecorder. This was mainly due to enabling a new region in Control Tower but not updating enrolled accounts. This leads to AWS Config in the new regions to not be initialized. The fix was to simply update enrolled accounts through Control Tower.