Investigate SecurityHub policy that results in AccessDenied for config:GetComplianceDetailsByConfigRule

[jakemulley]

AWS SecurityHub is enabled via the modernisation-platform-terraform-baselines Terraform module. It uses the AWSServiceRoleForSecurityHub service-linked role. It integrates with AWS Config to configure a standard set of rules.

When SecurityHub assumes the service-linked role, and tries to perform config:GetComplianceDetailsByConfigRule on its own standard set of rules, the resource throws an AccessDenied error. This only happens on the SecurityHub-created rules, not any that are configured manually.

The error it throws is: User: arn:aws:sts::${accountId}:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: config:GetComplianceDetailsByConfigRule on resource: securityhub-${rule-name}.

This full error stack is viewable in CloudWatch Logs if you search for AccessDenied.

[mikedanielcpt]

I have a similar issue, started in last week or so....out of nowhere. Is there a fix on this?

[bellbrothers]

I ran into the same error/symptom; the solution was to enable Config in the affected region. The region was specified in the CloudWatch Log error.

Config - like GuardDuty and SecurityHub - is Region based.

Note - I came to this error via CloudFormation not the Terraform module. In multiple accounts I turned on GuardDuty/SecurityHub but didn't turn on Config and got this error. Errors disappeared after turning on Config.

I found this issue when looking for a solution and assume others will as well.

[dms1981]

I can see evidence of this check succeeding, but no evidence of it failing. As mentioned by @bellbrothers there's a six month old AWS document that references the need for AWS Config here: https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/