automated-security-response-on-aws icon indicating copy to clipboard operation
automated-security-response-on-aws copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

Service-managed StackSet deployment (Step 3 option 2) missing parameter

Open k4n30 opened this issue 3 years ago • 2 comments

Describe the bug

Service-managed StackSet deployment (step 3 option 2) doesn't ask for 'LogGroup Configuration' like step 3 option 1 does.

To Reproduce

Follow steps for automated StackSet deployment (https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/deployment-stackset.html). Make sure service-managed StackSet option (option 2) is chosen for step 3.

Expected behavior

Either the template deployment would ask for the LogGroup Configuration (like is asked in step 3, option 1). Systems Manager – Parameter Store parameter could also be modified after deployment (but it is not set)

Please complete the following information about the solution:

  • [x] Version: v1.4.1

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0". You can also find the version from releases

  • [x] Region: ap-southeast-2
  • [x] Was the solution modified from the version published on this repository? No
  • [x] If the answer to the previous question was yes, are the changes available on GitHub?
  • [x] Have you checked your service quotas for the services this solution uses? n/a
  • [x] Were there any errors in the CloudWatch Logs? Troubleshooting n/a

Screenshots Don't think a "lack of a parameter" screenshot is going to help

Additional context n/a

k4n30 avatar Jan 19 '22 04:01 k4n30

I'm facing the same issue. In the same scenario outlined above, there are additional resources that are deployed as part of aws-sharr-member.template that are not included in aws-sharr-remediations.template.

The resources are:

  • SSMParameterLogGroupName
  • SHARRKeyAlias
  • SHARRRemediationKeyAlias
  • SHARRRemediationKey

If you follow the guide for Service-managed StackSet deployment (step 3 option 2), these resources don't get deployed.

Suggested fix would be to include these resources in aws-sharr-remediations.template when building the solution. aws-sharr-member.template would then only include the nested stacks.

borrell avatar Jan 21 '22 18:01 borrell

@borrell @k4n30 We are reviewing this scenario and have updated the documentation to withdraw the steps provided for deploying the solution using service managed stacksets, we will resolve this issue in the next release for the solution.

gockle avatar Jan 31 '22 15:01 gockle

This was updated in our v1.4.2 documentation.

gsingh04 avatar Oct 12 '22 15:10 gsingh04