SecurityHub raises an InvalidAccessException: Account <REDACTED> is not an administrator for this organization when the account is the administrator

[vermamanoj]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.0 on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v3.71.0

Terraform Configuration Files

resource "aws_securityhub_account" "cust-lz-securityhub" {}

# Auto enable security hub in organization member accounts
resource "aws_securityhub_organization_configuration" "enable_config_automatically" {
  auto_enable = true
  depends_on = [aws_securityhub_account.cust-lz-securityhub]
}

resource "aws_securityhub_organization_admin_account" "admin_account_id" {
  admin_account_id =  local.lz_info_sec_account.id
  depends_on = [aws_securityhub_organization_configuration.enable_config_automatically]

}

Output:

2022-01-04T12:54:02.252Z [DEBUG] [aws-sdk-go] {}
╷

│ Error: error updating Security Hub Organization Configuration (): InvalidAccessException: Account <REDACTED> is not an administrator for this organization

│ {

│   RespMetadata: {

│     StatusCode: 401,

│     RequestID: "f4ff6036-1493-44a0-b16b-3436d5b36728"

│   },

│   Code_: "InvalidAccessException",

│   Message_: "Account <REDACTED> is not an administrator for this organization"

│ }

│ 

│   with aws_securityhub_organization_configuration.enable_config_automatically,

│   on securityhub.tf line 6, in resource "aws_securityhub_organization_configuration" "enable_config_automatically":

│    6: resource "aws_securityhub_organization_configuration" "enable_config_automatically" {

│ 

Expected Behavior

When enabling SecurityHub and delegating the account, the request should have been successful considering the account is the management account for Organizations.

Note that using aws securityhub enable-organization-admin-account --admin-account-id=<redacted> does work using the exact same privileges.

Actual Behavior

An error is raised stating that the account is not authorized to delegate the SecurityHub administrator to another account within the organization.

Steps to Reproduce

1. terraform init
2. terraform apply

[vermamanoj]

A similar issue was reported on a different channel earlier, pls refer (https://github.com/hashicorp/terraform/issues/30285) as well

[justinretzolk]

Hey @vermamanoj 👋 Thank you for taking the time to raise this! So that we have all of the information necessary to look into this, would it be possible in include (sanitized as needed) debug logs as well?

I'd also be curious as to how you're passing credentials into the provider, in case there's any chance that different credentials are being picked up than you're using with the aws CLI command that you mentioned worked.

[vermamanoj]

my provider.tf file:

`provider "aws" { alias = "audit_account" region = var.Deployment_Region assume_role { role_arn = "arn:aws:iam::${var.Deployment_Account}:role/${var.Terraform_Role_Name}" } }

provider "aws" { alias = "management_account" region = var.Deployment_Region assume_role { role_arn = "arn:aws:iam::${var.management_account}:role/${var.Terraform_Role_Name}" }`

[vermamanoj]

main.tf

` data "aws_organizations_organization" "myorg" { provider =aws.management_account }

module "guardduty_enabler_audit" { source = "../../../Modules/logging_guardduty_enabler_audit"

providers = { aws.org = aws.audit_account } gd_finding_publishing_frequency = var.finding_publishing_frequency delegated_admin_account_id = var.Deployment_Region gd_my_org = data.aws_organizations_organization.myorg }

module "securityhub_enabler_audit" { providers = { aws.org = aws.audit_account } source = "../../../Modules/logging_securityhub_enabler_audit"

Deployment_Region = var.Deployment_Region delegated_admin_account_id = var.Deployment_Region my_org = data.aws_organizations_organization.myorg linking_mode = var.linking_mode specified_regions = var.securityhub_aggregation_source_regions finding_aggregation_region = var.securityhub_finding_aggregation_region securityhub_products_integration = var.securityhub_products_integration } `

[vermamanoj]

tfvars file

`# AUDIT ACCOUNT Deployment_Account = "111111111111” Deployment_Region = "us-west-1"

=======================

Terraform_Role_Name    = "assume_role_name”

# Enter account ID of the Delegated admin account.
management_account = "222222222222”

finding_publishing_frequency = "FIFTEEN_MINUTES"

# SecurityHub specific code
linking_mode = "SPECIFIED_REGIONS"
securityhub_finding_aggregation_region = "us-east-1"
securityhub_aggregation_source_regions = ["us-east-2", "ap-south-1", "us-west-1"]
securityhub_products_integration       = ["guardduty", "inspector", "macie"]

`

[vermamanoj]

Debug logs attached tf_debug_copy_2.txt

111111111111 - delegated admin account 222222222222 - org mgmt. account 333333333333 & 444444444444 - member accounts

[vermamanoj]

before running this code, I have run another in management account to delegate audit account as admin for securityhub and guardduty

[justinretzolk]

Hey @vermamanoj 👋 Thank you for the additional information. I've marked this as a bug so that we can take a look into it as soon as time allows.

[ADobrodey]

@vermamanoj After enabling aws_securityhub_organization_admin_account organization configuration is delegated to the member account, so you will need to execute aws_securityhub_organization_configuration under member account's provider:

resource "aws_securityhub_organization_admin_account" "admin_account_id" {
  admin_account_id =  local.lz_info_sec_account.id
}

resource "aws_securityhub_organization_configuration" "enable_config_automatically" {
  provider  = aws.lz_info_sec_account
  auto_enable = true
  depends_on = [aws_securityhub_organization_admin_account.admin_account_id]
}

[justinretzolk]

Hey @vermamanoj 👋 Were you able to test using the information provided above to see if it resolves your issue?

[sunghospark-calm]

I just encountered this problem. aws_securityhub_organization_admin_account did not work when the security hub admin account was not the AWS main organization account. I could enable the security hub organization admin account on non AWS main organization account through console and the rest of configurations (aws_securityhub_member and aws_securityhub_finding_aggregator) could be configured through terraform.

Would be great to do aws_securityhub_organization_admin_account through terraform too though so this bug is still active.

[msheldon1982]

I have just encountered this same problem

`│ Error: updating Security Hub Organization Configuration (): InvalidAccessException: Account * is not an administrator for this organization │ { │ RespMetadata: { │ StatusCode: 401, │ RequestID: "c3e94889-7aea-4e8d-aaa1-ae101de7231d" │ }, │ Code: "InvalidAccessException", │ Message: "Account *** is not an administrator for this organization" │ }

i was attempting to assign the aws_securityhub_organization_configuration block to a sub account in the organisation.

[burizz]

@ADobrodey is right. The same works for us. In the organization management account we create the main resouces - aws_securityhub_account; aws_securityhub_organization_admin_account to delegate another account as an administrator of security hub. And than in the other account run the rest of the terraform resources like - aws_securityhub_finding_aggregator; aws_securityhub_organization_configuration; aws_securityhub_standards_subscription.

To handle this in a single Terraform module we use acount conditionals to be able to call the same module in each account with different functionality, example :

resource "aws_securityhub_account" "itgix_primary" {
  count = var.enable_security_hub && var.management_account_run ? 1 : 0
}

# Designate a security hub admin account
resource "aws_securityhub_organization_admin_account" "itgix_primary" {
  count            = var.enable_security_hub && var.management_account_run ? 1 : 0
  admin_account_id = var.organization_delegated_admin_account_id

  depends_on = [aws_securityhub_account.itgix_primary]
}

resource "aws_securityhub_finding_aggregator" "itgix_primary" {
  count        = var.enable_security_hub && var.security_account_run ? 1 : 0
  linking_mode = "ALL_REGIONS"
}

# Auto enable security hub in organization member accounts
resource "aws_securityhub_organization_configuration" "itgix_primary" {
  count       = var.enable_security_hub && var.security_account_run ? 1 : 0
  auto_enable = true
}