How to manage aws securityhub standards control from delegated admin account

Hey folks,

I’ve got an AWS org that uses a delegated admin for security hub and I need to disable a control.

I tried to assume a role in my delegated admin to disable controls in all my accounts and that’s failing.

I basically got a list of all my accounts then did a for_each on the account ID and in the control arn

Ex:

resource "aws_securityhub_standards_control" "this" {
  for_each              = local.parsed_accounts
  standards_control_arn = "arn:aws:securityhub:us-east-1:${each.value}:control/cis-aws-foundations-benchmark/v/1.2.0/1.10"
  control_status        = "DISABLED"
  disabled_reason       = "justification"
}

But that didn’t work I recieved the following error:

 Account id ... is not authorized to perform action on resource:

So I tried to just disable the control in the accounts but because I am using a delegated admin account I received an empty result error.

So I know why both of those things failed, but am not sure how you actually disable controls when in this specific situation without having to create a whole mess of roles and relationships with the delegated authority account.

Is there an easy way to do this?

1 Like

To achieve your desired outcome, it may be necessary to establish assume IAM roles across all accounts and subsequently execute them using the relevant terraform provider using alias. As it is not possible to utilize the “for_each” function with terraform remote providers, distinct resources will need to be created for each account and alias. if anyone has better solution, please comment on the same.