Automated Security Response on AWS is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. The solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.
License: Apache License 2.0
Currently it's not possible to build using the script (./build-s3-dist.sh)as npm breaks with following:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! Found: [email protected]
npm ERR! node_modules/jest
npm ERR! dev jest@"^25.5.4" from the root project
npm ERR! peer jest@">=25 <26" from [email protected]
npm ERR! node_modules/ts-jest
npm ERR! ts-jest@"^25.4.0" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer jest@"^26.4.2" from @aws-cdk/[email protected]
npm ERR! node_modules/@aws-cdk/assert
npm ERR! dev @aws-cdk/assert@"1.68.0" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
I had build the code from a clone and uploaded the templates to my account's buckets but the cfn deployment for aws-sharr-deploy.template fails.Seems like the template referes to a specific bucket not the bucket where my code/template exist.
Here is the the code snippet from template which seems to be accessed by the template .
PlaybookServiceCatalog: Type: AWS::CloudFormation::Stack Properties: TemplateURL: Fn::Join: - "" - - https:// - Fn::FindInMap: - SourceCode - General - S3Bucket - -reference.s3.amazonaws.com/ - Fn::FindInMap: - SourceCode - General - KeyPrefix - /aws-sharr-portolio-deploy.template Parameters: CreateCustomActionArn: Fn::GetAtt: - CreateCustomActionE7A973F5 - Arn Metadata: aws:cdk:path: SolutionDeployStack/PlaybookServiceCatalog Condition: UseServiceCatalog Conditions: UseServiceCatalog: Fn::Not: - Fn::Equals: - Ref: AWS::Partition - aws-cn
Error :
Describe the bug
Alerts are not being sent out from CloudWatch after setting up a subscription to the topic SO0111-SHARR-LocalAlarmNotification.
To Reproduce
Expected behavior
I would expect for a notification to be sent and received to the subscription on the SO0111-SHARRLocalAlarmNotification SNS topic once an alarm in CloudWatch is in alarm state.
Version: 1.3.1
Region: us-east-1
Was the solution modified from the version published on this repository? No
Have you checked your service quotas for the sevices this solution uses? Yes
Were there any errors in the CloudWatch Logs? Yes, included in screenshots
Screenshots
Please up-vote if you want this feature. Do not submit a new feature request.
Describe the bug
When CIS 1.4 remediation is triggered on a IAM principal with the '@' character in the username, I get the following error:
Traceback (most recent call last):
File "/tmp/e0034708-8dff-4cd9-841c-d31ea816b4c6-2022-03-29-11-18-35/customer_script.py", line 97, in unrotated_key_handler
user_name = get_user_name(event.get("IAMResourceId"))
File "/tmp/e0034708-8dff-4cd9-841c-d31ea816b4c6-2022-03-29-11-18-35/customer_script.py", line 46, in get_user_name
resource_name = list_discovered_resources_response.get("resourceIdentifiers")[0].get("resourceName")
IndexError: list index out of range
IndexError - list index out of range
To Reproduce
Expected behavior
The remediation should work without errors.
Please complete the following information about the solution:
Describe the bug
When the automatic remediation is executed, the following error will be output and it will not be repaired.
What's wrong with the document "SHARR-CIS_1.2.0_1.4"or"SHARR-RevokeUnrotatedKeys"?
Traceback (most recent call last):
File "/tmp/6ce44d50-6967-4b73-a949-5019b5ab9ee4-2022-05-21-20-08-25/customer_script.py", line 97, in unrotated_key_handler
user_name = get_user_name(event.get("IAMResourceId"))
File "/tmp/6ce44d50-6967-4b73-a949-5019b5ab9ee4-2022-05-21-20-08-25/customer_script.py", line 46, in get_user_name
resource_name = list_discovered_resources_response.get("resourceIdentifiers")[0].get("resourceName")
IndexError: list index out of range
The automatic remediation "CIS.3.1" creates a metric filter as shown below.
The metric filter name does not match the alarm name.
Isn't the correct metric filter name "SHARR_Alarm_CIS_1_2_Finding_3_1_UnauthorizedAPICalls"?
And I think the filter pattern is also wrong.
Isn't the filter pattern "{($.errorCode="UnauthorizedOperation") || ($.errorCode="AccessDenied")}" instead of "{$.errorCode = "AccessDenied" || $.errorCode = "UnauthorizedOperation"}"?
Please tell me where to fix the SSM documentation.
Please upvote if you want this feature. Do not submit a new issue.
Security Hub introduced cross-region aggregation of findings: https://aws.amazon.com/about-aws/whats-new/2021/10/aws-security-hub-cross-region-security-posture/
It would be nice, if we could trigger remediations from the aggregation region to other regions. This could be implemented by an early step in the state machine, which forwards the action event to a cross-region event bus, so that it can be picked up by the deployed SHARR solution in the target target region.
Hi,
I deployed the aws-sharr-deploy.template in "Main" account and also deployed the CISPermissions.template in the "member" account. I made sure to provide the correct account number of the main account when deploying to member account.
I'm getting the following error when running a cross account remediation and I really can't figure out why. I checked the cross-account roles and the permissions seems to be correct.
ERROR "An error occurred (AccessDeniedException) when calling the StartAutomationExecution operation: User: arn:aws:sts::111111111111:assumed-role/SO0111_CIS4142_memberRole_us-west-2/sechub_master is not authorized to perform: ssm:StartAutomationExecution on resource: arn:aws:ssm:us-west-2::automation-definition/AWS-DisablePublicAccessForSecurityGroup:1"
For version 1.4.0, source/remediation_runbooks/RevokeUnrotatedKeys.yaml references wrong remediation script %%SCRIPT=EnableCloudTrailEncryption.py%%
I have deployed the template version "1.3.0".
As shown in the screen below.
Auto-repair fails with "CIS.2.8" rule.
Is there a flaw in the SSM document for "CIS.2.8"?(SHARR-CIS_1.2.0_2.8 or SHARR-CIS_1.2.0_2.8)
Please tell me how to improve.
Please up-vote if you want this feature. Do not submit a new feature request.
What were you initially searching for in the docs?
Information on how to deploy the solution using stack sets
Is this related to an existing part of the documentation? Please share a link
Describe how we could make it clearer
It was unclear which templates to use i.e. the templates are linked on the standard automated deployment page (https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/deployment.html) but not on the StackSets page. I was unsure as to whether I should use the standard templates (on the standard templates page), or the templates linked on the CloudFormation templates page (https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/templates.html). I think it doesn't matter either way, but having them linked like the standard page would be an improvement (like Step 3 option 2).
It also didn't mention anywhere that the service-managed StackSets would NOT deploy the templates into the 'Organization Management account'. I did eventually find it in the service-managed StackSet documentation (after deploying the solution), but it might be worth clearly calling that out for users who are deciding between self-managed and service-managed options.
If you have a proposed update, please share it here
Make the changes as suggested above
Note AWS Security Hub service is available in GovCloud as of April 2020.
Please up-vote if you want this feature. Do not submit a new feature request.
The remediation role created for CIS 2.9 "SO0111_CIS29_remediationRole__region_" seems to have the wrong trusted entities. From the template it looks as though the trusted entity is "cloudtrail.amazonaws.com" (a copy and paste from 2.4 maybe?) but it should be "vpc-flow-logs.amazonaws.com".
This will not stop the remediation from logging as successful as per the remediation log, but it will cause the flow log status on the VPC itself to be "Access error" with a status of "The log destination is not accessible."
Changing the trusted entity to vpc-flow-logs.amazonaws.com resolved the issue for me
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html
Please up-vote if you want this feature. Do not submit a new feature request.
------ EXEC cp -R /home/ssm-user/aws-security-hub-automated-response-and-remediation/deployment/temp/source/solution_deploy/lambdalayer/python/requests /home/ssm-user/aws-security-hub-automated-response-and-remediation/deployment/build/playbooks/CIS/
cp: cannot stat ‘/home/ssm-user/aws-security-hub-automated-response-and-remediation/deployment/temp/source/solution_deploy/lambdalayer/python/requests’: No such file or directory
This was performed on an Amazon Linux2 EC2 instance. Same error on Ubuntu subsystem in Windows.
Describe the bug
After enabling AFSBP_EC2.6_AutoTrigger within EventBridge. No remediation of the finding is performed.
To Reproduce
Deploy the solution.
Enable AFSBP_EC2.6_AutoTrigger within EventBridge
Create a VPC without VPC Flow Logs enabled.
A Security Hub finding will be generated but will not be remediated.
Expected behavior
Once a new finding is generated by Security Hub. It is automatically remediated within the target environment.
Please complete the following information about the solution:
Screenshots
AFSBP_EC2.6_AutoTrigger EventBridge Rule:
EC2.6 Security Hub Finding:
CIS Finding:
Additional context
I think the reason is within the Findings event for Security Hub. The generator ID field does not include /rule/ for AFSBP whereas PCI and CIS Findings do.
Whenever you manually activate the Security Hub Custom Action "Remediate with SHARR" it works fine.
[RDS.6] Enhanced monitoring should be configured for RDS DB instances and clusters
[RDS.7] RDS clusters should have deletion protection enabled
[AutoScaling.1] Auto Scaling groups associated with a load balancer should use load balancer health checks
Please up-vote if you want this feature. Do not submit a new feature request.
Below is the error while deploying the aws-sharr-deploy.template from my custom bucket and the code build from the clone repo.
Error:
Is your feature request related to a problem? Please describe.
While working with the auto-remediations, I discovered a requirement to be able to specify a KMS key to be used for
performing EBS Volume encryption. There is no parameter or input setting to specify this in the
auto-remediation settings.
Describe the feature you'd like
Please enable a way to specify which KMS key to use for EBS volume encryption when auto-remediation is performed.
Additional context
The specification of the KMS key can, admittedly, get complex when considering multiple-accounts and multiple AWS regions over which the auto-remediation needs to be performed.
The compliance status within Security Hub for my 3.x findings are still reporting as "FAILED" despite the remediations to create metric filters and alarms. Looking within Cloudwatch, I do see the metrics and alarms are created against the log group specified. The execution logs in Systems Manager do not report any errors but rather show success for the automation run. The only error I've been able to pinpoint is from within Security Hub on the finding itself I get a message stating, "The multi-region CloudTrail does not have a valid metric filter".
Any assistance is greatly appreciated. I have created these metrics and alarms manually within a different account against the same multi-region CloudTrail log group and Security Hub did pass the findings in that account but I would really like to use SHARR for these.
When applying automatic repair with "EC2.1", the following error appears.
I suspect there is something wrong with the SSM document.
Please tell me how to improve it.
Describe the bug
After deploying v1.3.1 and running the remediation for CIS 3.x findings, I am receiving an error in the SO0111-SHARR-Orchestrator logs pointing out that a "Topic does not exist". The error references line 264, "publish_to_sns('SO0111-SHARR_Topic', self.severity + ':' + self.message, self.__region)" from sechub_findings.py. Is this the correct topic name or does this need to be adjusted to "SO0111-SHARR-LocalAlarmNotification"?
To Reproduce
Deploy the 1.3.1 solution
Create a subscription for the newly created SO0111-SHARR-LocalAlarmNotification SNS topic
Remediate any one or more of the CIS 3.x Security Hub findings using SHARR
Check the log entry in the SO0111-SHARR-Orchestrator logs
Expected behavior
I would expect to not see any errors in the SO0111-SHARR-Orchestrator logs after a remediation attempt. I would also expect to see a successful remediation message in the SO0111-SHARR log group.
Screenshots
Additional context
Despite the execution failed message in the log, the remediation did end up setting up the metric and the alarm as expected. Also, the Security Hub finding did resolve at least for 3.2. 3.1 is still not resolving but that is due to the metric being switched around as mentioned here: #38
Is your feature request related to a problem? Please describe.
GuardDuty findings can be high-confidence and actionable, but are not part of the current solution.
Describe the feature you'd like
Add a playbook and runbooks to remediate GuardDuty findings: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html
Additional context
There is an existing project that could be leveraged:
Blog post: https://aws.amazon.com/blogs/security/how-to-perform-automated-incident-response-multi-account-environment/
Code: https://github.com/aws-samples/automated-incident-response-with-ssm
[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail
[CloudTrail.2] CloudTrail should have encryption at-rest enabled
[Config.1] AWS Config should be enabled
[EC2.7] EBS default encryption should be enabled
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
Is your feature request related to a problem? Please describe.
I tried to deploy the member stacks using an organization stackset. Organization stacksets using the ServiceManaged model do not work with nested stacks, therefore this failed.
See also:
StackSet Considerations
Describe the feature you'd like
Please provide a single member stack to ease deployment and management of stacks in an organization.
Please up-vote if you want this feature. Do not submit a new feature request.
Remediations run with a clean install of v1.4.0 to a virgin account fails with the below stack trace due to overly restrictive IAM policy.
The SO0111-SHARR-sendNotifications lambda function requires access to the ssm:PutParameter action, adding this to the notifyRole's policy makes everything work smoothly.
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::000000000000:assumed-role/aws-sharr-deploy-notifyRole00000000-000000000000/SO0111-SHARR-sendNotifications is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:eu-west-1:000000000000:parameter/Solutions/SO0111/anonymous_metrics_uuid because no identity-based policy allows the ssm:PutParameter action
Traceback (most recent call last):
File "/var/task/send_notifications.py", line 101, in lambda_handler
metrics = Metrics(event['EventType'])
File "/opt/python/metrics.py", line 51, in __init__
self.__get_solution_uuid()
File "/opt/python/metrics.py", line 114, in __get_solution_uuid
self.__update_solution_uuid(self.solution_uuid)
File "/opt/python/metrics.py", line 97, in __update_solution_uuid
self.ssm_client.put_parameter(
File "/var/runtime/botocore/client.py", line 386, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 705, in _make_api_call
raise error_class(parsed_response, operation_name
I tried to install v1.2.0, but the error was detected as "botocore.exceptions.ParamValidationError" in Unit Test on Build stage.
Here is the part of details in generated logs, can you please advise me any workarounds?
test/test_metrics.py:131:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/Users/aaaaa/.pyenv/versions/3.7.5/lib/python3.7/site-packages/botocore/stub.py:227: in add_response
self._add_response(method, service_response, expected_params)
/Users/aaaaa/.pyenv/versions/3.7.5/lib/python3.7/site-packages/botocore/stub.py:239: in _add_response
self._validate_response(operation_name, service_response)
/Users/aaaaa/.pyenv/versions/3.7.5/lib/python3.7/site-packages/botocore/stub.py:388: in _validate_response
validate_parameters(response, output_shape)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
params = {'Parameter': {'ARN': 'arn:aws:ssm:us-east-1:1111111111111111:parameter/Solutions/SO0111/anonymous_metrics_uuid', 'Dat...ext', 'LastModifiedDate': '2021-02-25T12:58:50.591000-05:00', 'Name': '/Solutions/SO0111/anonymous_metrics_uuid', ...}}
shape = <StructureShape(GetParameterResult)>
def validate_parameters(params, shape):
"""Validates input parameters against a schema.
This is a convenience function that validates parameters against a schema.
You can also instantiate and use the ParamValidator class directly if you
want more control.
If there are any validation errors then a ParamValidationError
will be raised. If there are no validation errors than no exception
is raised and a value of None is returned.
:param params: The user provided input parameters.
:type shape: botocore.model.Shape
:param shape: The schema which the input parameters should
adhere to.
:raise: ParamValidationError
"""
validator = ParamValidator()
report = validator.validate(params, shape)
if report.has_errors():
> raise ParamValidationError(report=report.generate_report())
E botocore.exceptions.ParamValidationError: Parameter validation failed:
E Unknown parameter in Parameter: "DataType", must be one of: Name, Type, Value, Version, Selector, SourceResult, LastModifiedDate, ARN
/Users/aaaaa/.pyenv/versions/3.7.5/lib/python3.7/site-packages/botocore/validate.py:49: ParamValidationError
---------- coverage: platform darwin, python 3.7.5-final-0 -----------
Name Stmts Miss Cover Missing
--------------------------------------------------------------
applogger.py 80 31 61% 55, 59-67, 77-87, 94, 97, 110, 129-143, 149-150
awsapi_cached_client.py 58 21 64% 82-97, 105-120, 124-125, 129-130
logger.py 42 19 55% 23-26, 41, 51-58, 62, 67, 71, 75, 79, 83
metrics.py 84 58 31% 39-40, 48-74, 77-80, 83, 91-106, 110-124, 128-143, 146-149
sechub_findings.py 79 28 65% 60, 65, 71, 80, 87-108, 183-192, 195, 202-213
test/file_utilities.py 8 0 100%
test/test_api_cached_client.py 16 0 100%
test/test_applogger.py 32 0 100%
test/test_metrics.py 48 19 60% 64-75, 95-105, 133-148
test/test_sechub_findings.py 47 0 100%
test/test_utils.py 37 0 100%
utils.py 72 26 64% 34-37, 40, 43, 47, 51, 55, 59, 63, 67, 70-81, 112-113
--------------------------------------------------------------
TOTAL 603 202 67%
Coverage XML written to file /Users/hisnakad/git/aws-security-hub-automated-response-and-remediation/deployment/test/coverage-reports/LambdaLayers.coverage.xml
======================================================================== short test summary info =========================================================================
FAILED test/test_metrics.py::test_metrics_construction - botocore.exceptions.ParamValidationError: Parameter validation failed:
FAILED test/test_metrics.py::test_get_metrics_from_finding - botocore.exceptions.ParamValidationError: Parameter validation failed:
FAILED test/test_metrics.py::test_send_metrics - botocore.exceptions.ParamValidationError: Parameter validation failed:
====================================================================== 3 failed, 13 passed in 3.65s ======================================================================
** UNIT TESTS FAILED **
Hello,
Deployed the SHARR v1.2.0 solution into an administrator account by following the "AWS Solutions Implementations Guide". The member accounts' template is deployed through StackSets.
When attempting to remediate AFSBP EC2.2 in a member account, either through selecting "action >AFSBP EC2.2" in SecurityHub or waiting for the resource to be reevaluated. I receive the below error:
Fail to start automation, errorMessage: User: arn:aws:sts::111111111111:assumed-role/SO0111-SHARR-Remediation-AFSBP-EC2.2_us-east-1/474f72fd-f6b3-4fae-b275-dfeaa54f374e is not authorized to perform: ssm:StartAutomationExecution on resource: arn:aws:ssm:us-east-1::automation-definition/AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules:$DEFAULT.
Hi there,
I have one question.
Just tried, security hub automated response-and remediation.
but,doesnt complete successfully on creating stack.
got the following error(s).
XXX ROLLBACK_COMPLETE
The following resource(s) failed to create:
[orchestratorNestedLogStackXXX, notifyPolicyXXXC, SHARRkeyAliasXXX]. Rollback requested by user.
orchestratorNestedLogStackXXX
orchestratorNestedLogStackXXX-XXX/XXX-XXXX-XXXX-XXXX-XXXXXXXXX
was not successfully created:
The following resource(s) failed to create: [OrchestratorLogsEncryptedXXXXX].
and tried it in several different environments,
stack will be created successfully the first time,
but will fail with the same error the second and third times...
are there any settings to check?
sorry for poor English language.
THX
In both the solution_deploy and the playbooks directories, the bin directory is not present with the CDK application file. Therefore, when the build_s3_dist.sh script is ran the templates do not get generated and the various .template files are empty. Are end users expected to generate these files? If so, can examples be provided?
The cdk.json files reference apps files that do not exist.
[RDS.1] RDS snapshots should be private
[Lambda.1] Lambda function policies should prohibit public access
[EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone
Describe the bug
Service-managed StackSet deployment (step 3 option 2) doesn't ask for 'LogGroup Configuration' like step 3 option 1 does.
To Reproduce
Follow steps for automated StackSet deployment (https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/deployment-stackset.html). Make sure service-managed StackSet option (option 2) is chosen for step 3.
Expected behavior
Either the template deployment would ask for the LogGroup Configuration (like is asked in step 3, option 1). Systems Manager – Parameter Store parameter could also be modified after deployment (but it is not set)
Please complete the following information about the solution:
To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0". You can also find the version from releases
Screenshots
Don't think a "lack of a parameter" screenshot is going to help
Additional context
n/a
After manually fixing the issue described in #26, I ran into following error:
Step fails when it is Execution complete: verified. Failed to run automation with executionId: 68da3877-74a7-4d17-bc92-e995c79abc0c Failed : {Status=[Failed], Output=[{"EbsEncryptionByDefault":true,"ResponseMetadata":{"RequestId":"2abe7ed2-0403-4104-9427-665f2ff35179","HTTPStatusCode":200,"HTTPHeaders":{"x-amzn-requestid":"2abe7ed2-0403-4104-9427-665f2ff35179","cache-control":"no-cache, no-store","strict-transport-security":"max-age\u003d31536000; includeSubDomains","content-type":"text/xml;charset\u003dUTF-8","transfer-encoding":"chunked","vary":"accept-encoding","date":"Mon, 03 May 2021 11:54:50 GMT","server":"AmazonEC2"},"RetryAttempts":0}}], ExecutionId=[68da3877-74a7-4d17-bc92-e995c79abc0c]}. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.
In the Execution detail I could see, that the ModifyAccount step processed successfully, but the VerifyEbsEncryptionByDefault step failed with following error message:
Step fails when it is Execute/Cancelling action. Property value 'False' from the API output is not in the desired values. Desired values: ['True'].. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.
However, after checking the setting manually in the EC2 console, I saw that it actually got remediated.
Recently installed1.4.2 in single account. Attempting manual remediation gives this error
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::111111111111:assumed-role/SO0111-SHARR-Orchestrator-Admin/SO0111-SHARR-checkSSMDocState is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/SO0111-SHARR-Orchestrator-Member
All nested CloudFormation completed successfully, but in IAM while the SO0111-SHARR-Orchestrator-Admin role looks fine, no IAM role SO0111-SHARR-Orchestrator-Member exists. Exact same issue and message, two different AWS accounts, Admin privileges on deployment.
While it's not supported in the console, the SDK and CLI allow you to create IAM users with paths (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). I seem to be getting failures for any CIS 1.3 remediation that has a user with a path (eg. arn:aws:iam::12345678910:user/path/build/internal-plugin-user)
Step fails at step 1 - ParseInput:
Step fails when it is Poll action status for completion. Traceback (most recent call last): File "/tmp/e89a2bf3-4ede-4a59-ab23-b96efcbf8cfb-2022-03-04-06-38-54/customer_script.py", line 77, in parse_event exit(f'ERROR: Invalid resource Id {identifier_raw}') File "/var/lang/lib/python3.7/_sitebuiltins.py", line 26, in call raise SystemExit(code) SystemExit: ERROR: Invalid resource Id arn:aws:iam::12345678910:user/path/build/internal-plugin-user SystemExit - ERROR: Invalid resource Id arn:aws:iam::12345678910:user/path/build/internal-plugin-user. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.
What were you initially searching for in the docs?
The README states to upload to s3:
**Upload to your buckets**
Run upload_s3_dist.sh, passing the name of the region where you want to deploy the solution (ex. us-east-1). Note that this prepares your templates for deployment, but does not do the actual deployment in your account.
```
cd ./deployment
./upload_s3_dist.sh <region>
```
But this file has now been deleted: 3cb099d
Describe how we could make it clearer
Either delete this section if uploading is no longer required, or update with what the new procedure should be.
If you have a proposed update, please share it here
N/A
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.