aws-control-tower-customizations icon indicating copy to clipboard operation
aws-control-tower-customizations copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

Solution fails [StepFunctions.1] Security Hub control

Open steve-g-nz opened this issue 1 year ago • 3 comments

The template as currently provided fails the StepFunction.1 Security Hub control

Please update the custom-control-tower-initiation.template to include the following:

  • a CloudWatch log group resource
  • execution role updated to include relevant logs IAM policies
  • LoggingConfiguration property added to the two StepFunction StateMachine resources

Additional context StepFunctions.1

steve-g-nz avatar Feb 08 '24 03:02 steve-g-nz

@steve-g-nz thank you for reaching out. Please may you provide more context on:

  • What you are trying to do and what is the issue you are facing.
  • Steps to reproduce the issue you are facing

snebhu3 avatar Feb 08 '24 17:02 snebhu3

@snebhu3 the template as documented deploys step functions that fail the Security Hub control StepFunctions.1 which is part of the AWS Foundational Security Best Practices v1.0.0 standard To prevent the control from failing the template would need to include logging for the state machines which would require the addition of a Cloudwatch log group and adding the relevant IAM permissions to the execution role

steve-g-nz avatar Feb 08 '24 20:02 steve-g-nz

Thank you for the additional context. I have created an internal backlog to address this.

snebhu3 avatar Feb 08 '24 22:02 snebhu3