Establishing trusted access between AWS Organizations and Inspector v2

[jesus-vc]

Description

If you can provide insight, I’d greatly appreciate it.

Apologies if this is the wrong place to ask. I'm new to this platform.

I’m looking to use the newly-released Inspector v2 terraform resources, which includes establishing an integration between Inspector and AWS OrganizationsL Terraform Registry.

When one is integrating a service with AWS Organizations, typically one must enable trusted access between the service (Inspector v2 in this case) and Organizations. When using SDKs/CLI, this would entail “explicitly calling the EnableAWSServiceAccess operation and providing the service principal as a parameter”, according to AWS documentation: Amazon Inspector and AWS Organizations - AWS Organizations

The terraform documentation for three current Inspector v2 resource blocks (aws_inspector2_organization_configuration, aws_inspector2_enabler, and aws_inspector2_delegated_admin_account) isn’t clear on how trusted access is established. Does anyone know if one of these blocks establishes trusted access on the backend or if we have to do it manually over CLI/AWS console?

Thank you very much!

References

@YakDriver , cc'ing you as it seems you're the key author of the Inspector v2 terraform resource. Would appreciate your help!

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[andy-townsend]

Interested to hear if any progress has been made with this.

I find that when I use aws_inspector2_delegated_admin_account that it is in fact regional. I've delegated to my security account when the region was set to us-east-1, when I associate accounts and enable inspector in them (within us-east-1) it works fine.

But if I change region and try to associate the same accounts/enable inspector for eu-west-2 then I get an Access Denied error An error occurred (AccessDeniedException) when calling the AssociateMember operation: Invoking account does not have access to associate member account

Which just seems incredibly dumb to have to delegate an admin account per region. Have I missed something obvious here?

[jesus-vc]

@andy-townsend , I'm working on this now. I haven't encountered your error yet.

I wonder if you're getting this error because your Organization's management account has to first delegate your security account as the Inspector delegated admin for each region desired, before your security account can enable Inspector across other Organization member accounts. But I think this is what you were already alluding to.

Happy to collaborate if needed.

[andy-townsend]

@jesus-vc Thanks, that's what I've found when I've tried enabling an account in a new region. I've already raised it with our AWS TAM as it doesn't seem like a great idea when with the rest of the services you delegate the account once per account. Seeing that you can only delegate to a single account, it doesn't make sense to have to do it per region. I'll update if they come back with anything though.

[gerricchaplin]

@andy-townsend is this not the same as various other services which require regional delegation like GuardDuty even when in an Org? The granularity of control is helpful but not always convenient.

[jfe110]

Is there an update on this?

[CpuID]

Interesting read https://github.com/aws-samples/inspector2-enablement-with-cli

I also hit Invoking account does not have access to associate member account when trying to use one instance of aws_inspector2_enabler and our master billing/org account specified.

Still working through how I can use https://github.com/aws-samples/inspector2-enablement-with-cli to influence what terraform resources I'd need to create/setup respectively.

[CpuID]

This got me up and running in the end:

resource "aws_organizations_organization" "the-org" {
  aws_service_access_principals = [
    ...
    "inspector2.amazonaws.com",
    ...
  ]
  feature_set = "ALL"
}

resource "aws_inspector2_enabler" "the-org" {
  # megaport-billing
  account_ids    = ["account-number-goes-here"]
  resource_types = ["EC2", "ECR", "LAMBDA", "LAMBDA_CODE"]
}

resource "aws_inspector2_delegated_admin_account" "megaport-billing" {
  # master billing account or whatever
  account_id = "account-number-goes-here"
}

resource "aws_inspector2_member_association" "all_member_accounts" {
  for_each = toset(local.all_account_ids_except_master_billing_and_recently_deleted)
  account_id = each.value
}

locals {
  all_account_ids_except_master_billing_and_recently_deleted = [for acct in data.aws_organizations_organizational_unit_descendant_accounts.all.accounts : acct.id if !contains(["some-explicit-account-name", "another-explicit-account-name"], acct.name)
}