Marketplace Vendor Insights - AWS Audit Manager automated assessments not well designed / AWSVendorInsightsConformancePackv1

Hi, As a SaaS ISV selling a product on the AWS Marketplace, I decided to use the AWS Audit Manager continuous automated assessment documented in Step 4 here: https://docs.aws.amazon.com/marketplace/latest/userguide/vendor-insights-setting-up.html.

However, the stacks and stacksets that it references (Github repo) (associated with conformance pack "AWSVendorInsightsConformancePackv1") , create AWS resources that themselves violate the checks/postures embodied in the said automated assessment, creating a downward spiral of work that never reaches a finish line:

Example of non-compliant S3 buckets created by AWSVendorInsightsConformancePackv1 that are flagged as non-compliant

Another head-scratcher rule is "no inline policies" in IAM User, Roles, or Groups; when AWS's first-party configuration wizards routinely use this. Inline Policies are impossible to avoid: shown here created by AWS Systems Manager easy configuration wizard, and the VendorInsights CF stackset

Please recall the AWSVendorInsightsConformancePackv1 scripts if they are so clearly unhelpful to a Marketplace ISV to reach any reasonable finish line.

Thanks, Sid

主題

安全性、身分識別與合規 AWS 市場

標籤

AWS Audit Manager AWS 市場

語言

English

Sid M

已提問 1 個月前檢視次數 115 次

沒有答案

最新
最多得票
最多評論

Marketplace Vendor Insights - AWS Audit Manager automated assessments not well designed / AWSVendorInsightsConformancePackv1

相關內容