Closed Thomas-McKanna closed 2 months ago
In case it helps anyone - I was able to get past the error by excluding the management account (not sure what the problem with the management account is). So, my full AWS Config settings were:
awsConfig:
enableConfigurationRecorder: true
overrideExisting: true
deploymentTargets:
organizationalUnits:
- Root
excludedAccounts:
- Management
ruleSets: []
@Thomas-McKanna - same here https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/527
Hi I'm having a problem that maybe is related to yours. Your fix resolved the problem for me.
But what is the implication of that change? Is that any action in management account will be not detected by AWS Config on that account?
By the way, here the details about my configurations.
For my configuration I have us-east-1 as home region and with only home region the setup runs fine. But when I enable another region, like, us-west-2, theses errors appears for each AWS Config rule that I try to create.
AWS Config and Security Hub is active. Here the logs with the error:
`
AWSAccelerator-SecurityResourcesStack-22222222222-us-west-2 \| 2:44:43 PM \| CREATE_FAILED \| AWS::Config::ConfigRule \| AcceleratorSagemakerNotebookInstanceKmsKeyConfigured (AcceleratorSagemakerNotebookInstanceKmsKeyConfigured98505444) Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder" (RequestToken: f52a963b-c774-cd56-89bb-0ecc3efa4f8c, HandlerErrorCode: InvalidRequest) -- 1170 | new ManagedRule (/codebuild/output/src2815/src/s3/00/source/node_modules/aws-cdk-lib/aws-config/lib/rule.js:1:3558) 1171 | \_ SecurityResourcesStack.createManagedConfigRule (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:684:31) 1172 | \_ SecurityResourcesStack.createAwsConfigRules (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:918:27) 1173 | \_ SecurityResourcesStack.setupAwsConfigRules (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:951:12) 1174 | \_ new SecurityResourcesStack (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:121:10) 1175 | \_ createSecurityResourcesStack (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/utils/stack-utils.ts:967:36) 1176 | \_ createMultiAccountMultiRegionStacks (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:188:35) 1177 | \_ processTicksAndRejections (node:internal/process/task_queues:95:5) 1178 | AWSAccelerator-SecurityResourcesStack-22222222222-us-west-2 \| 2:44:43 PM \| CREATE_FAILED \| AWS::Config::ConfigRule \| AcceleratorApiGwCacheEnabledAndEncrypted (AcceleratorApiGwCacheEnabledAndEncrypted090286F1) Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder" (RequestToken: ad2385d6-8bd0-7f9a-5948-2424fafad274, HandlerErrorCode: InvalidRequest) 1179 | new ManagedRule (/codebuild/output/src2815/src/s3/00/source/node_modules/aws-cdk-lib/aws-config/lib/rule.js:1:3558) 1180 | \_ SecurityResourcesStack.createManagedConfigRule (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:684:31) 1181 | \_ SecurityResourcesStack.createAwsConfigRules (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:918:27) 1182 | \_ SecurityResourcesStack.setupAwsConfigRules (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:951:12) 1183 | \_ new SecurityResourcesStack (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:121:10) 1184 | \_ createSecurityResourcesStack (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/utils/stack-utils.ts:967:36) 1185 | \_ createMultiAccountMultiRegionStacks (/codebuild/output/src2815/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:188:35) 1186 | \_ processTicksAndRejections (node:internal/process/task_queues:95:5)`
Given that there are at least a couple of people who have experienced this issue and that there may be further related issues, I'm going to reopen this one in hopes that the LZA team will see it and make a determination as to whether the my workaround is the intended path or whether there is something incorrect about the current LZA implementation.
@gustavo-guerra-compasso - what is your global config & security config?
Do you have control tower enabled? Are you managing it yourself or is LZA managing it? See https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/prerequisites.html for more detail.
What version of LZA is it? If self managed, you will need to include all regions in a control tower update.
This will create the required config recorder.
Given that there are at least a couple of people who have experienced this issue and that there may be further related issues, I'm going to reopen this one in hopes that the LZA team will see it and make a determination as to whether the my workaround is the intended path or whether there is something incorrect about the current LZA implementation.
Hi @Thomas-McKanna ,
When raising issues, include minimum required information (see my linked ticket for reference) to ensure there are required details for AWS to debug/priortise.
@richardkeit: Ah, got it. I didn't see your linked issue which is a duplicate of this one. I will close this issue.
@richardkeit I'am using LZA 1.9.0.
Control Tower was enabled by LZA, I activated it first on the home region it worked fine. When I activated on the secondary region it gives the configurationRecorder error.
global-config.yaml
configVersion: 1.9.0
# Activate on at a time due to the limitation of the AWS Control Tower
enabledRegions:
- *HOME_REGION
- us-west-2
managementAccountAccessRole: AWSControlTowerExecution
cloudwatchLogRetentionInDays: 90
cdkOptions:
centralizeBuckets: true
useManagementAccessRole: true
terminationProtection: false #true
snsTopics:
deploymentTargets:
organizationalUnits:
- Root
topics:
- name: Security
emailAddresses:
- aws@<omitted>
controlTower:
enable: true
# UPDATE If using ControlTower, uncomment the following block and set the version to ControlTower latest available version
landingZone:
version: '3.3'
logging:
loggingBucketRetentionDays: 365
accessLoggingBucketRetentionDays: 3650
organizationTrail: true
security:
enableIdentityCenterAccess: true
logging:
account: LogArchive
cloudtrail:
enable: true
organizationTrail: true
organizationTrailSettings:
multiRegionTrail: true
globalServiceEvents: true
managementEvents: false
s3DataEvents: true
lambdaDataEvents: true
sendToCloudWatchLogs: true
apiErrorRateInsight: false
apiCallRateInsight: false
accountTrails: []
lifecycleRules: []
sessionManager:
sendToCloudWatchLogs: false
sendToS3: true
lifecycleRules:
- enabled: true
abortIncompleteMultipartUpload: 7
expiration: 1209
noncurrentVersionExpiration: 1209
attachPolicyToIamRoles:
- EC2-Default-SSM-AD-Role
cloudwatchLogs:
dynamicPartitioning: dynamic-partitioning/log-filters.json
accessLogBucket:
lifecycleRules:
- enabled: true
abortIncompleteMultipartUpload: 7 #dias
expiration: 1209
noncurrentVersionExpiration: 1209
transitions:
- storageClass: DEEP_ARCHIVE
transitionAfter: 90
noncurrentVersionTransitions:
- storageClass: DEEP_ARCHIVE
transitionAfter: 90
centralLogBucket:
lifecycleRules:
- enabled: true
abortIncompleteMultipartUpload: 7
expiration: 1209
noncurrentVersionExpiration: 1209
transitions:
- storageClass: DEEP_ARCHIVE
transitionAfter: 90
noncurrentVersionTransitions:
- storageClass: DEEP_ARCHIVE
transitionAfter: 90
elbLogBucket:
lifecycleRules:
- enabled: true
abortIncompleteMultipartUpload: 7
expiration: 1209
noncurrentVersionExpiration: 1209
transitions:
- storageClass: DEEP_ARCHIVE
transitionAfter: 90
noncurrentVersionTransitions:
- storageClass: DEEP_ARCHIVE
transitionAfter: 90
security-config.yaml
homeRegion: &HOME_REGION us-east-1
centralSecurityServices:
delegatedAdminAccount: Audit
ebsDefaultVolumeEncryption:
enable: true
excludeRegions: []
s3PublicAccessBlock:
enable: true
excludeAccounts: []
# scpRevertChangesConfig:
# enable: true
# snsTopicName: Security
macie:
enable: true
excludeRegions: []
policyFindingsPublishingFrequency: FIFTEEN_MINUTES
publishSensitiveDataFindings: true
guardduty:
enable: true
excludeRegions: []
s3Protection:
enable: true
excludeRegions: []
exportConfiguration:
enable: true
overrideExisting: true
destinationType: S3
exportFrequency: FIFTEEN_MINUTES
auditManager:
enable: false
excludeRegions: []
defaultReportsConfiguration:
enable: true
destinationType: S3
lifecycleRules:
- enabled: true
abortIncompleteMultipartUpload: 7
expiration: 730
noncurrentVersionExpiration: 730
detective:
enable: false
excludeRegions: []
securityHub:
enable: true
regionAggregation: true
excludeRegions: []
standards:
- name: AWS Foundational Security Best Practices v1.0.0
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html
enable: true
controlsToDisable:
- IAM.1
- EC2.10
- Lambda.4
# - name: PCI DSS v3.2.1
# # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html
# enable: false
# controlsToDisable:
# - PCI.IAM.3
# - PCI.S3.3
# - PCI.EC2.3
# - PCI.Lambda.2
- name: CIS AWS Foundations Benchmark v1.4.0
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html
enable: true
controlsToDisable:
- CIS.1.17
- CIS.1.16
- name: CIS AWS Foundations Benchmark v3.0.0
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html
enable: true
# - name: NIST Special Publication 800-53 Revision 5
# # https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html
# enable: true
# controlstoDisable: []
ssmAutomation:
excludeRegions: []
documentSets:
- shareTargets:
organizationalUnits:
- Root
documents:
# Calls the AWS CLI to enable access logs on a specified ELB
- name: SSM-ELB-Enable-Logging
template: ssm-documents/ssm-elb-enable-logging.yaml
# Enables S3 encryption using KMS
- name: Put-S3-Encryption
template: ssm-documents/s3-encryption.yaml
# Attaches instance profiles to an EC2 instance
- name: Attach-IAM-Instance-Profile
template: ssm-documents/attach-iam-instance-profile.yaml
# Attaches Aws IAM Managed Policy to IAM Role
- name: Attach-IAM-Role-Policy
template: ssm-documents/attach-iam-role-policy.yaml
accessAnalyzer:
enable: true
iamPasswordPolicy:
allowUsersToChangePassword: true
hardExpiry: false
requireUppercaseCharacters: true
requireLowercaseCharacters: true
requireSymbols: true
requireNumbers: true
minimumPasswordLength: 30
passwordReusePrevention: 24
maxPasswordAge: 90
awsConfig:
enableConfigurationRecorder: true
# ** enableDeliveryChannel DEPRECATED
enableDeliveryChannel: true
ruleSets:
- deploymentTargets:
organizationalUnits:
- Root
rules:
- name: accelerator-attach-ec2-instance-profile
type: Custom
description: Custom rule for checking EC2 instance IAM profile attachment
inputParameters:
customRule:
lambda:
sourceFilePath: custom-config-rules/attach-ec2-instance-profile.zip
handler: index.handler
runtime: nodejs18.x
rolePolicyFile: custom-config-rules/attach-ec2-instance-profile-detection-role.json
periodic: true
maximumExecutionFrequency: Six_Hours
configurationChanges: true
triggeringResources:
lookupType: ResourceTypes
lookupKey: ResourceTypes
lookupValue:
- AWS::EC2::Instance
remediation:
rolePolicyFile: custom-config-rules/attach-ec2-instance-profile-remediation-role.json
automatic: true
targetId: Attach-IAM-Instance-Profile
retryAttemptSeconds: 60
maximumAutomaticAttempts: 5
parameters:
- name: InstanceId
value: RESOURCE_ID
type: String
- name: IamInstanceProfile
value: ${ACCEL_LOOKUP::InstanceProfile:EC2-Default-SSM-AD-Role}
type: StringList
# Note these example CustomerManagedPolicies are hardcoded for us-east-1
- name: accelerator-ec2-instance-profile-permission
type: Custom
description: Custom role to remediate EC2 instance profile permission
inputParameters:
AWSManagedPolicies: AmazonSSMManagedInstanceCore,AmazonSSMDirectoryServiceAccess,CloudWatchAgentServerPolicy
# CustomerManagedPolicies: ${ACCEL_LOOKUP::CustomerManagedPolicy:AWSAccelerator-SessionManagerLogging-us-east-1}
# CustomerManagedPolicies: ${ACCEL_LOOKUP::CustomerManagedPolicy:<POLICY_NAME>},${ACCEL_LOOKUP::CustomerManagedPolicy:<POLICY_NAME>}
ResourceId: RESOURCE_ID
customRule:
lambda:
sourceFilePath: custom-config-rules/ec2-instance-profile-permissions.zip
handler: index.handler
runtime: nodejs18.x
rolePolicyFile: custom-config-rules/ec2-instance-profile-permissions-detection-role.json
periodic: true
maximumExecutionFrequency: Six_Hours
configurationChanges: true
triggeringResources:
lookupType: ResourceTypes
lookupKey: ResourceTypes
lookupValue:
- AWS::IAM::Role
remediation:
rolePolicyFile: custom-config-rules/ec2-instance-profile-permissions-remediation-role.json
automatic: true
targetId: Attach-IAM-Role-Policy
targetAccountName: Audit
retryAttemptSeconds: 60
maximumAutomaticAttempts: 5
parameters:
- name: ResourceId
value: RESOURCE_ID
type: String
- name: AWSManagedPolicies
value: AmazonSSMManagedInstanceCore,AmazonSSMDirectoryServiceAccess,CloudWatchAgentServerPolicy
type: StringList
# - name: CustomerManagedPolicies
# value: ${ACCEL_LOOKUP::CustomerManagedPolicy:policy-00},${ACCEL_LOOKUP::CustomerManagedPolicy:policy-01}
# type: StringList
# - name: CustomerManagedPolicies
# value: ${ACCEL_LOOKUP::CustomerManagedPolicy:AWSAccelerator-SessionManagerLogging-us-east-1}
# type: StringList
# Note, included in Security Hub AFBP but this one has an automated remediation
- name: accelerator-s3-bucket-server-side-encryption-enabled
identifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
complianceResourceTypes:
- AWS::S3::Bucket
remediation:
rolePolicyFile: custom-config-rules/bucket-sse-enabled-remediation-role.json
automatic: true
targetId: Put-S3-Encryption
retryAttemptSeconds: 60
maximumAutomaticAttempts: 5
parameters:
- name: BucketName
value: RESOURCE_ID
type: String
- name: KMSMasterKey
value: ${ACCEL_LOOKUP::KMS}
type: StringList
# Security Hub AFBP has a similar rule, but this one has an automated remediation.
- name: accelerator-elb-logging-enabled
identifier: ELB_LOGGING_ENABLED
complianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
- AWS::ElasticLoadBalancingV2::LoadBalancer
inputParameters:
s3BucketNames: ${ACCEL_LOOKUP::Bucket:elbLogs}
remediation:
rolePolicyFile: custom-config-rules/elb-logging-enabled-remediation-role.json
automatic: true
targetId: SSM-ELB-Enable-Logging
retryAttemptSeconds: 60
maximumAutomaticAttempts: 5
parameters:
- name: LoadBalancerArn
value: RESOURCE_ID
type: String
- name: LogDestination
value: ${ACCEL_LOOKUP::Bucket:elbLogs}
type: StringList
- name: accelerator-iam-user-group-membership-check
complianceResourceTypes:
- AWS::IAM::User
identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
- name: accelerator-securityhub-enabled
identifier: SECURITYHUB_ENABLED
- name: accelerator-cloudtrail-enabled
identifier: CLOUD_TRAIL_ENABLED
- name: accelerator-cloudwatch-alarm-action-check
complianceResourceTypes:
- AWS::CloudWatch::Alarm
inputParameters:
alarmActionRequired: "TRUE"
insufficientDataActionRequired: "TRUE"
okActionRequired: "FALSE"
identifier: CLOUDWATCH_ALARM_ACTION_CHECK
- name: accelerator-redshift-cluster-configuration-check
inputParameters:
clusterDbEncrypted: "TRUE"
loggingEnabled: "TRUE"
complianceResourceTypes:
- AWS::Redshift::Cluster
identifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
- name: accelerator-cloudtrail-s3-dataevents-enabled
identifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED
- name: accelerator-emr-kerberos-enabled
identifier: EMR_KERBEROS_ENABLED
- name: accelerator-iam-group-has-users-check
complianceResourceTypes:
- AWS::IAM::Group
identifier: IAM_GROUP_HAS_USERS_CHECK
- name: accelerator-s3-bucket-policy-grantee-check
complianceResourceTypes:
- AWS::S3::Bucket
identifier: S3_BUCKET_POLICY_GRANTEE_CHECK
- name: accelerator-ec2-instances-in-vpc
complianceResourceTypes:
- AWS::EC2::Instance
identifier: INSTANCES_IN_VPC
# Note, included in Security Hub AFBP slightly different with ports 80 and 443
- name: accelerator-vpc-sg-open-only-to-authorized-ports
inputParameters:
authorizedTcpPorts: "443"
# authorizedUdpPorts: "1020-1025"
complianceResourceTypes:
- AWS::EC2::SecurityGroup
identifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
- name: accelerator-internet-gateway-authorized-vpc-only
complianceResourceTypes:
- AWS::EC2::InternetGateway
identifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
- name: accelerator-iam-no-inline-policy-check
complianceResourceTypes:
- AWS::IAM::User
- AWS::IAM::Role
- AWS::IAM::Group
identifier: IAM_NO_INLINE_POLICY_CHECK
- name: accelerator-cloudwatch-log-group-encrypted
identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
- name: accelerator-cw-loggroup-retention-period-check
identifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK
- name: accelerator-ec2-instance-detailed-monitoring-enabled
complianceResourceTypes:
- AWS::EC2::Instance
identifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED
- name: accelerator-ec2-volume-inuse-check
inputParameters:
deleteOnTermination: "TRUE"
complianceResourceTypes:
- AWS::EC2::Volume
identifier: EC2_VOLUME_INUSE_CHECK
- name: accelerator-cloudtrail-security-trail-enabled
identifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED
- name: accelerator-elasticache-redis-cluster-automatic-backup-check
identifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
- name: accelerator-s3-bucket-versioning-enabled
complianceResourceTypes:
- AWS::S3::Bucket
identifier: S3_BUCKET_VERSIONING_ENABLED
- name: accelerator-guardduty-non-archived-findings
inputParameters:
daysHighSev: "1"
daysLowSev: "30"
daysMediumSev: "7"
identifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
- name: accelerator-kms-cmk-not-scheduled-for-deletion
complianceResourceTypes:
- AWS::KMS::Key
identifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION
- name: accelerator-api-gw-cache-enabled-and-encrypted
complianceResourceTypes:
- AWS::ApiGateway::Stage
identifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED
- name: accelerator-sagemaker-endpoint-configuration-kms-key-configured
identifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
- name: accelerator-sagemaker-notebook-instance-kms-key-configured
identifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
- name: accelerator-dynamodb-table-encrypted-kms
complianceResourceTypes:
- AWS::DynamoDB::Table
identifier: DYNAMODB_TABLE_ENCRYPTED_KMS
- name: accelerator-s3-bucket-default-lock-enabled
complianceResourceTypes:
- AWS::S3::Bucket
identifier: S3_BUCKET_DEFAULT_LOCK_ENABLED
# NIST 800-53-rev5 Conformance Pack - Additional 15
- name: accelerator-account-part-of-organizations
identifier: ACCOUNT_PART_OF_ORGANIZATIONS
- name: accelerator-alb-waf-enabled
complianceResourceTypes:
- AWS::ElasticLoadBalancingV2::LoadBalancer
identifier: ALB_WAF_ENABLED
- name: accelerator-codebuild-project-artifact-encryption
complianceResourceTypes:
- AWS::CodeBuild::Project
identifier: CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION
- name: accelerator-dynamodb-in-backup-plan
identifier: DYNAMODB_IN_BACKUP_PLAN
- name: accelerator-dynamodb-throughput-limit-check
identifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK
- name: accelerator-ebs-in-backup-plan
identifier: EBS_IN_BACKUP_PLAN
- name: accelerator-ebs-optimized-instance
complianceResourceTypes:
- AWS::EC2::Instance
identifier: EBS_OPTIMIZED_INSTANCE
- name: accelerator-elbv2-acm-certificate-required
identifier: ELBV2_ACM_CERTIFICATE_REQUIRED
- name: accelerator-lambda-dlq-check
complianceResourceTypes:
- AWS::Lambda::Function
identifier: LAMBDA_DLQ_CHECK
- name: accelerator-no-unrestricted-route-to-igw
complianceResourceTypes:
- AWS::EC2::RouteTable
identifier: NO_UNRESTRICTED_ROUTE_TO_IGW
- name: accelerator-redshift-cluster-kms-enabled
complianceResourceTypes:
- AWS::Redshift::Cluster
identifier: REDSHIFT_CLUSTER_KMS_ENABLED
- name: accelerator-s3-default-encryption-kms
complianceResourceTypes:
- AWS::S3::Bucket
identifier: S3_DEFAULT_ENCRYPTION_KMS
- name: accelerator-secretsmanager-using-cmk
complianceResourceTypes:
- AWS::SecretsManager::Secret
identifier: SECRETSMANAGER_USING_CMK
# Optional Config rules to check for resources protected by backups.
- deploymentTargets:
organizationalUnits: []
rules:
- name: accelerator-aurora-resources-protected-by-backup-plan
complianceResourceTypes:
- AWS::RDS::DBCluster
identifier: AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN
- name: accelerator-backup-plan-min-frequency-and-min-retention-check
complianceResourceTypes:
- AWS::Backup::BackupPlan
identifier: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK
- name: accelerator-backup-recovery-point-encrypted
complianceResourceTypes:
- AWS::Backup::RecoveryPoint
identifier: BACKUP_RECOVERY_POINT_ENCRYPTED
- name: accelerator-backup-recovery-point-manual-deletion-disabled
complianceResourceTypes:
- AWS::Backup::BackupVault
identifier: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
- name: accelerator-ec2-resources-protected-by-backup-plan
complianceResourceTypes:
- AWS::EC2::Instance
identifier: EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN
- name: accelerator-rds-in-backup-plan
identifier: RDS_IN_BACKUP_PLAN
cloudWatch:
metricSets:
- regions:
- *HOME_REGION
#####################################
# With landing zone version 3.0, AWS Control Tower now supports organization-level AWS CloudTrail trails. #
# Going forward from landing zone 3.0, AWS Control Tower no longer will support account-level trails that AWS manages. #
# If your environment runs on prior version (3.0) of landing zone, you can change deployment targets for the metrics to Root organizational units #
# Metrics deployment target should be management account for environment with landing zone version 3.0 #
# Please refer https://docs.aws.amazon.com/controltower/latest/userguide/2022-all.html#version-3.0 for more information #
#####################################
deploymentTargets:
accounts:
- Management
metrics:
# CIS 1.7 - Avoid the use of the "root" account
- filterName: RootAccountUsage
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}'
metricNamespace: LogMetrics
metricName: RootAccount
metricValue: "1"
# CIS 4.4 - Ensure a log metric filter and alarm exist for IAM policy changes
- filterName: IAMPolicyChangesMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}"
metricNamespace: LogMetrics
metricName: IAMPolicyChanges
metricValue: "1"
# CIS 4.5 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- filterName: CloudTrailChangesMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}"
metricNamespace: LogMetrics
metricName: CloudTrailChanges
metricValue: "1"
# CIS 4.6 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- filterName: ConsoleAuthenticationFailureMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: '{($.eventName=ConsoleLogin) && ($.errorMessage="Failed authentication")}'
metricNamespace: LogMetrics
metricName: ConsoleAuthenticationFailure
metricValue: "1"
# CIS 4.7 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- filterName: DisableOrDeleteCMKMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}"
metricNamespace: LogMetrics
metricName: DisableOrDeleteCMK
metricValue: "1"
# CIS 4.8 - Ensure a log metric filter and alarm exist for S3 bucket policy changes
- filterName: S3BucketPolicyChangesMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}"
metricNamespace: LogMetrics
metricName: S3BucketPolicyChanges
metricValue: "1"
# CIS 4.9 - Ensure a log metric filter and alarm exist for AWS Config configuration changes
- filterName: AWSConfigChangesMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}"
metricNamespace: LogMetrics
metricName: AWSConfigChanges
metricValue: "1"
# CIS 4.10 - Ensure a log metric filter and alarm exist for security group changes
- filterName: SecurityGroupChangesMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}"
metricNamespace: LogMetrics
metricName: SecurityGroupChanges
metricValue: "1"
# CIS 4.11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- filterName: NetworkACLChangesMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}"
metricNamespace: LogMetrics
metricName: NetworkACLChanges
metricValue: "1"
# CIS 4.12 - Ensure a log metric filter and alarm exist for changes to network gateways
- filterName: NetworkGatewayChangesMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}"
metricNamespace: LogMetrics
metricName: NetworkGatewayChanges
metricValue: "1"
# CIS 4.13 - Ensure a log metric filter and alarm exist for route table changes
- filterName: RouteTableChangesMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}"
metricNamespace: LogMetrics
metricName: RouteTableChanges
metricValue: "1"
# CIS 4.14 - Ensure a log metric filter and alarm exist for VPC changes
- filterName: VPCChangesMetricFilter
# logGroupName: aws-controltower/CloudTrailLogs //Se comenta por cambio de log group
logGroupName: aws-accelerator-cloudtrail-logs
filterPattern: "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}"
metricNamespace: LogMetrics
metricName: VPCChanges
metricValue: "1"
alarmSets:
- regions:
- *HOME_REGION
#####################################
# With landing zone version 3.0, AWS Control Tower now supports organization-level AWS CloudTrail trails. #
# Going forward from landing zone 3.0, AWS Control Tower no longer will support account-level trails that AWS manages. #
# If your environment runs on prior version (3.0) of landing zone, you can change deployment targets for the metrics to Root organizational units #
# Metrics deployment target should be management account for environment with landing zone version 3.0 #
# Please refer https://docs.aws.amazon.com/controltower/latest/userguide/2022-all.html#version-3.0 for more information #
#####################################
deploymentTargets:
accounts:
- Management
alarms:
# CIS 1.7 - Avoid the use of the "root" account
- alarmName: CIS-1.7-RootAccountUsage
alarmDescription: Alarm for usage of "root" account
snsTopicName: Security
metricName: RootAccountUsage
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 4.4 - Ensure a log metric filter and alarm exist for IAM policy changes
- alarmName: CIS-4.4-IAMPolicyChanges
alarmDescription: Alarm for IAM policy changes
snsTopicName: Security
metricName: IAMPolicyChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Average
threshold: 1
treatMissingData: notBreaching
# CIS 4.5 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- alarmName: CIS-4.5-CloudTrailChanges
alarmDescription: Alarm for CloudTrail configuration changes
snsTopicName: Security
metricName: CloudTrailChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 4.6 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- alarmName: CIS-4.6-ConsoleAuthenticationFailure
alarmDescription: Alarm exist for AWS Management Console authentication failures
snsTopicName: Security
metricName: ConsoleAuthenticationFailure
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 4.7 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- alarmName: CIS-4.7-DisableOrDeleteCMK
alarmDescription: Alarm for disabling or scheduled deletion of customer created CMKs
snsTopicName: Security
metricName: DisableOrDeleteCMK
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 4.8 - Ensure a log metric filter and alarm exist for S3 bucket policy changes
- alarmName: CIS-4.8-S3BucketPolicyChanges.
alarmDescription: Alarm for S3 bucket policy changes
snsTopicName: Security
metricName: S3BucketPolicyChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Average
threshold: 1
treatMissingData: notBreaching
# CIS 4.9 - Ensure a log metric filter and alarm exist for AWS Config configuration changes
- alarmName: CIS-4.9-AWSConfigChanges
alarmDescription: Alarm for AWS Config configuration changes
snsTopicName: Security
metricName: AWSConfigChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 4.10 - Ensure a log metric filter and alarm exist for security group changes
- alarmName: CIS-4.10-SecurityGroupChanges
alarmDescription: Alarm for security group changes
snsTopicName: Security
metricName: SecurityGroupChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 4.11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- alarmName: CIS-4.11-NetworkACLChanges
alarmDescription: Alarm for changes to Network Access Control Lists (NACL)
snsTopicName: Security
metricName: NetworkACLChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 4.12 - Ensure a log metric filter and alarm exist for changes to network gateways
- alarmName: CIS-4.12-NetworkGatewayChanges
alarmDescription: Alarm for changes to network gateways
snsTopicName: Security
metricName: NetworkGatewayChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 4.13 - Ensure a log metric filter and alarm exist for route table changes
- alarmName: CIS-4.13-RouteTableChanges
alarmDescription: Alarm for route table changes
snsTopicName: Security
metricName: RouteTableChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Average
threshold: 1
treatMissingData: notBreaching
# CIS 4.14 - Ensure a log metric filter and alarm exist for VPC changes
- alarmName: CIS-3.14-VPCChanges
alarmDescription: Alarm for VPC changes
snsTopicName: Security
metricName: VPCChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
keyManagementService:
keySets:
- name: KMSSecretsKey
deploymentTargets:
organizationalUnits:
- Root
alias: alias/accelerator/kms/secrets/key
description: KMS key to encrypt secrets
enabled: true
enableKeyRotation: true
removalPolicy: retain
Hi @gustavo-guerra-compasso ,
Looks like in the global config the yaml anchor for home region is missing.
Please look at the governed regions in Control Tower or run the below command (provide the output) and make sure all intended regions are there
aws controltower get-landing-zone --landing-zone-identifier $(aws controltower list-landing-zones --query 'landingZones[*].arn' --output text)
I have upgraded the LZA to 1.9.1 and it seems that is working now.
about the global-config.yaml. Maybe when I pasted it here I have delete the line:
homeRegion: &HOME_REGION us-east-1
Thanks @richardkeit
Hi, We have tried a new setup in a new account using version 1.9.1. Without the code sugested by @Thomas-McKanna we are not able to enable a secondary region. The error still occurs:
AWSAccelerator-SecurityResourcesStack-3111XXXXXXXX-us-west-2 | 0/89 | 9:38:02 PM | CREATE_FAILED |
AWS::Config::ConfigRule | AcceleratorEc2InstanceDetailedMonitoringEnabled
(AcceleratorEc2InstanceDetailedMonitoringEnabled9F032168) Resource handler returned message: "Invalid request provided:
NoAvailableConfigurationRecorder" (RequestToken: XXXXXXXX-dee3-ee84-d6cb-7d8268aXXXXX, HandlerErrorCode:
InvalidRequest)
We are using the same code pasted by me in a previously comment post.
The following validation check has caused my pipeline to suddenly start failing. The error is that "securityHub requires awsConfig to be enabled". But I had been using AWS Config rules as managed by Control Tower up until this point with no issue. Now, I can't get the pipeline to run. I have tried setting
enableConfigurationRecorder
to true, but then I get error:And when I set
overrideExisting
to true, I get the error:Now I'm unsure of what to do.
The code that broke the pipeline for me was:
https://github.com/awslabs/landing-zone-accelerator-on-aws/blame/76117a978937ea8c7a5d1e58e2c3e2b2584ec0ba/source/packages/%40aws-accelerator/config/validator/security-config-validator.ts#L668
Is this validation really necessary?