From 0b7c110046c1eec67ee7e6973d769951a0fc4fda Mon Sep 17 00:00:00 2001 From: Marcel de Vroed Date: Thu, 27 Jun 2024 07:01:04 +0200 Subject: [PATCH 1/3] Fix: for passing the Control.1 Security Hub control on the core-management account See: https://docs.aws.amazon.com/securityhub/latest/userguide/controls-change-log.html The Control.1 control now also checks if the AWS Config service-linked role is used. Create and use the AWSServiceRoleForConfig instead of the custom LandingZone-ConfigRecorderRole --- CHANGELOG.md | 4 ++-- config.tf | 17 +++-------------- 2 files changed, 5 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1ddf25..1443052 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -653,9 +653,9 @@ ENHANCEMENTS BUG FIXES - Add `endpoint_auto_confirms` variable to the AWS Config SNS topic ([#62](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/62)) ([#64](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/64)) -- +- - Modify accountID of the AWS Config SNS topic ([#65](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/65)) -- +- ## v0.4.4 - 2021-01-05 diff --git a/config.tf b/config.tf index 8978e38..8ad0cc8 100644 --- a/config.tf +++ b/config.tf @@ -39,24 +39,13 @@ resource "aws_config_aggregate_authorization" "master_to_audit" { tags = var.tags } -resource "aws_iam_role" "config_recorder" { - name = "LandingZone-ConfigRecorderRole" - path = var.path - tags = var.tags - - assume_role_policy = templatefile("${path.module}/files/iam/service_assume_role.json.tpl", { - service = "config.amazonaws.com" - }) -} - -resource "aws_iam_role_policy_attachment" "config_recorder_config_role" { - role = aws_iam_role.config_recorder.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole" +resource "aws_iam_service_linked_role" "config" { + aws_service_name = "config.amazonaws.com" } resource "aws_config_configuration_recorder" "default" { name = "default" - role_arn = aws_iam_role.config_recorder.arn + role_arn = aws_iam_service_linked_role.config.arn recording_group { all_supported = true From 4bd4e64af5af51c8231e3a83dbedc1b061471805 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 27 Jun 2024 05:06:57 +0000 Subject: [PATCH 2/3] docs(readme): update module usage --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 64f81c4..60ca0cd 100644 --- a/README.md +++ b/README.md @@ -487,10 +487,9 @@ module "landing_zone" { | [aws_iam_account_password_policy.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource | | [aws_iam_account_password_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource | | [aws_iam_account_password_policy.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource | -| [aws_iam_role.config_recorder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.sns_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy.sns_feedback_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy_attachment.config_recorder_config_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_service_linked_role.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource | | [aws_inspector2_delegated_admin_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_delegated_admin_account) | resource | | [aws_inspector2_enabler.audit_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_enabler) | resource | | [aws_inspector2_enabler.member_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_enabler) | resource | From 6f406255b906d67c669a460d5e0387974e346df9 Mon Sep 17 00:00:00 2001 From: Marcel de Vroed <104191477+marceldevroed@users.noreply.github.com> Date: Fri, 28 Jun 2024 18:19:03 +0200 Subject: [PATCH 3/3] Update CHANGELOG.md (clean up) --- CHANGELOG.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1443052..6f13fc5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -653,9 +653,7 @@ ENHANCEMENTS BUG FIXES - Add `endpoint_auto_confirms` variable to the AWS Config SNS topic ([#62](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/62)) ([#64](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/64)) -- - Modify accountID of the AWS Config SNS topic ([#65](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/65)) -- ## v0.4.4 - 2021-01-05