Skip to content

IAM Role deployed by SRA for Config results in Critical Security Hub Finding #280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 18 commits into from
Closed

IAM Role deployed by SRA for Config results in Critical Security Hub Finding #280

wants to merge 18 commits into from

Conversation

@boueya
Copy link
Contributor

@boueya boueya commented Jan 9, 2025

Fixes #273

Replacing Config Recorder custom role with service-linked role.
The Config Recorder custom role only had the Config managed policy applied, so I've replaced it in to align with guidance.

By submitting this pull request, I confirm that my contribution is made under the terms of the [Apache 2.0 license].

Apache 2.0 License

@boueya
Copy link
Contributor Author

boueya commented Jan 9, 2025

Note: The first commit can largely be ignored.
I wanted to try deploying the service-linked role with the SDK in Python because I saw the approached used in the config_org solution and I wanted to see how it worked.

I ended up opting for just adding it to the CFN instead because it seemed more straight forward for this use case.

@IevIe IevIe self-requested a review January 13, 2025 21:33
boueya and others added 14 commits January 14, 2025 10:32
@boueya
Test gaurdduty delivery key arn store change.
542af99
@boueya
Adding rGuardDutyDeliveryKMSKeyStackSet dependency to rGuardDutyDeliv…
4793084 
…eryKMSKeyStackSet
@boueya
Resolving the delivery key ARN directly in relevant CFNs.
f342cdd
@boueya
Removing CFN params for the delivery key ARN and resolving from SSM d…
eea8691 
…irectly
@boueya
Removing pSRASecretsKeyAliasArn parameter. Not used in CFN template
e756e73
@boueya
Fixing Tag CFN resource formatting.
95f66f9
@boueya
Adding retention to the delivery key SSM parameter.
6b23d5f
@boueya
Updating deployment target.
e47621d
@boueya
Updating SSM param ARN.
4b6abae
@boueya
Reintroducing the KMS_KEY_ARN CFN param.
4b6dbc1
@boueya
Adding rGuardDutyDeliveryKMSKeyStackSet output
2d2e918
@boueya
Adding checkov scanner exceptions.
a01e870
Merge remote-tracking branch 'upstream/main'
c7564c7
@cyphronix
Merge branch 'main' into configRole
8f41ba6
@boueya boueya closed this Jan 21, 2025
@boueya boueya deleted the configRole branch January 22, 2025 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IevIe IevIe Awaiting requested review from IevIe

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Usage of IAM Role deployed by SRA for Config results in Critical Security Hub Finding

2 participants

@boueya @cyphronix