FAQ
Q: Error: error disabling security hub control
Error: error disabling security hub control arn:aws:securityhub:us-west-2:267314709865:control/aws-foundational-security-best-practices/v/1.0.0/EC2.17: InvalidAccessException: Account 267314709865 is not subscribed to AWS Security Hub
│ {
│ RespMetadata: {
│ StatusCode: 401,
│ RequestID: "53bc6538-18ff-4df0-9c14-57afe7b1d1a0"
│ },
│ Code_: "InvalidAccessException",
│ Message_: "Account 267314709865 is not subscribed to AWS Security Hub"
│ }
│
│ with awsutils_security_hub_control_disablement.ec2_multiple_enis[0],
│ on main.tf line 138, in resource "awsutils_security_hub_control_disablement" "ec2_multiple_enis":
│ 138: resource "awsutils_security_hub_control_disablement" "ec2_multiple_enis" {
A: None of the commands in the final step have been run. Check the commands and run them again.
Q: Deploying compliance to security fails on Step 1
│ Error: error designating security hub administrator account members: BadRequestException:
│ status code: 400, request id: 7279a38b-7bff-48b5-834c-f8e3ab0d4bf7
│
│ with awsutils_security_hub_organization_settings.this[0],
│ on main.tf line 72, in resource "awsutils_security_hub_organization_settings" "this":
│ 72: resource "awsutils_security_hub_organization_settings" "this" {
or
│ Error: error updating security hub administrator account settings: InvalidAccessException: Account 174772947570 is not an administrator for this organization
│ {
│ RespMetadata: {
│ StatusCode: 401,
│ RequestID: "335a2c87-c5bf-4006-9017-50a4428fcc30"
│ },
│ Code_: "InvalidAccessException",
│ Message_: "Account 174772947570 is not an administrator for this organization"
│ }
A: Please re-deploy and set the correct input vars to false , then deploy compliance-root, then redeploy with the
correct input vars to true and it should work.
Q: Deploying compliance to security fails on Step 3 designating guardduty administrator account members
│ Error: error designating guardduty administrator account members: BadRequestException: The request is rejected because the input detectorId is not owned by the current account.
│ {
│ RespMetadata: {
│ StatusCode: 400,
│ RequestID: "e8d39bc9-2f1f-4d95-8283-6193facba4d3"
│ },
│ Message_: "The request is rejected because the input detectorId is not owned by the current account.",
│ Type: "InvalidInputException"
│ }
A: This error may not be related to GuardDuty delegation, but rather the awsutils provider configuration. For example:
provider "awsutils" {
region = var.region
profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
dynamic "assume_role" {
for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
content {
role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
}
}
}
Q: Deploying compliance to security fails on Step 3 designating security hub administrator account members
│ Error: error designating security hub administrator account members: [{
│ AccountId: "1234567890",
│ ProcessingResult: "Operation failed because your organization master must first enable SecurityHub to be added as a member"
│ }]
A: Security Hub must be enabled for the Organization. Typically this is done with the account component by adding
securityhub.amazonaws.com to aws_service_access_principals. Alternately, it can be manually enabled. Open the AWS
console for the root account within the given Organization, go to Security Hub for the appropriate region, click
“Enable Security Hub” under “AWS Integrations”
Q: Blank spaces are not acceptable for input parameter: policyARN
│ Error: Error creating AWSConfig rule: Failed to create AWSConfig rule: InvalidParameterValueException: Blank spaces are not acceptable for input parameter: policyARN.
│
│ with module.aws_config.aws_config_config_rule.rules["iam-policy-in-use"],
│ on .terraform-mdev/modules/aws_config/main.tf line 42, in resource "aws_config_config_rule" "rules":
│ 42: resource "aws_config_config_rule" "rules" {│
A: The support role may not be deployed into the given account. Check aws-team-roles for the support role.