- Newest
- Most votes
- Most comments
Hello,
- To @Gary Mclean's question - " My security Hub SLR only has the 1 policy.. Does that sound about right?"
- Yes, the Security Hub service-linked role (AWSServiceRoleForSecurityHub) should have 1 policy in it, AWSSecurityHubServiceRolePolicy
- To @rePost-User-7973960 - "But now the question is how do I update a Service Linked Role? It does not let me edit it at all."
- This is expected behavior as editing the service-linked role for Security Hub is not permitted. Only the description of the role can be edited. Editing a service-linked role for Security Hub
Support's recommendation to add ListSecurityControlDefinitions, BatchGetStandardsControlAssociations, and BatchUpdateStandardsControlAssociations comes from the following - Cross-Region aggregation
It's worth noting the above link states that those permissions should be added to your IAM role and not the service-linked role for Security Hub. Depending on what role you are assuming, add ListSecurityControlDefinitions, BatchGetStandardsControlAssociations, and BatchUpdateStandardsControlAssociations to an existing permission policy you have or create a custom inline policy, something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"securityhub:ListSecurityControlDefinitions",
"securityhub:BatchGetStandardsControlAssociations",
"securityhub:BatchUpdateStandardsControlAssociations"
],
"Resource": "*"
}
]
}
Depending on the outcome of the above, I would suggest coming back to @Pilar Pinto's re:Post reference for a sanity check on your setup - How do I resolve an empty or “0%” security score or a “No data” compliance status in Security Hub?
Hi, you can try to config with control tower (it has AWS organizations) in order to manage various account in a centralized way.
Also, you have to use AWS config in order to use Security Hub enable https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html#securityhub-enable-config
And the you can enble or disable the security standars (here is the service linked role involved) follow this document https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html
Also, you can review this post https://repost.aws/knowledge-center/security-hub-empty-score-status
I expect this works!
I dont believe they are reffering to the SLR, more so the person trying to use Security Hub.
My security Hub SLR only has the 1 policy..
Does that sound about right?
Relevant content
- asked 2 years ago
- Accepted Answerasked 3 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Config is already setup using the Config StackSet that AWS recomends when you first try to setup Security Hub. So thats not the issue.
I know how to enable / disable standards but that has no bering on if the Score is empty or not.
That other post is nice but off. The problem is very simple I do not have the 3 permissions listed in the question in the ServiceLinkedRole.
My question is how do I update the ServiceLinkedRole to include the permissions and why is AWS using a role that does not have the needed permissions to begin with.