By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Marketplace Vendor Insights - AWS Audit Manager automated assessments not well designed / AWSVendorInsightsConformancePackv1

0

Hi, As a SaaS ISV selling a product on the AWS Marketplace, I decided to use the AWS Audit Manager continuous automated assessment documented in Step 4 here: https://docs.aws.amazon.com/marketplace/latest/userguide/vendor-insights-setting-up.html.

However, the stacks and stacksets that it references (Github repo) (associated with conformance pack "AWSVendorInsightsConformancePackv1") , create AWS resources that themselves violate the checks/postures embodied in the said automated assessment, creating a downward spiral of work that never reaches a finish line:

Example of non-compliant S3 buckets created by AWSVendorInsightsConformancePackv1 that are flagged as non-compliant

Another head-scratcher rule is "no inline policies" in IAM User, Roles, or Groups; when AWS's first-party configuration wizards routinely use this. Inline Policies are impossible to avoid: shown here created by AWS Systems Manager easy configuration wizard, and the VendorInsights CF stackset

Please recall the AWSVendorInsightsConformancePackv1 scripts if they are so clearly unhelpful to a Marketplace ISV to reach any reasonable finish line.

Thanks, Sid

Topics
Security, Identity, & ComplianceAWS Marketplace
Tags
AWS Audit ManagerAWS Marketplace
Language
English
profile picture
Sid M
asked 14 days ago91 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content