Hey folks,
I’ve got an AWS org that uses a delegated admin for security hub and I need to disable a control.
I tried to assume a role in my delegated admin to disable controls in all my accounts and that’s failing.
I basically got a list of all my accounts then did a for_each on the account ID and in the control arn
Ex:
resource "aws_securityhub_standards_control" "this" {
for_each = local.parsed_accounts
standards_control_arn = "arn:aws:securityhub:us-east-1:${each.value}:control/cis-aws-foundations-benchmark/v/1.2.0/1.10"
control_status = "DISABLED"
disabled_reason = "justification"
}
But that didn’t work I recieved the following error:
Account id ... is not authorized to perform action on resource:
So I tried to just disable the control in the accounts but because I am using a delegated admin account I received an empty result error.
So I know why both of those things failed, but am not sure how you actually disable controls when in this specific situation without having to create a whole mess of roles and relationships with the delegated authority account.
Is there an easy way to do this?