Critical SecurityHub finding Config.1

[hannes-ucsc]

AWS Config is configured and functioning but the control fires anyway since we use a custom IAM role instead of a service-linked role as required by Config.1. We could set the includeConfigServiceLinkedRoleCheck parameter on the control, to disable that role-check part of the control but I see no reason. I do see a correctly named service-linked for AWS Config role one of our AWS accounts. It seems to be a left-over from manually enabling AWS Config. Our TF Config makes no mention of it.

We should delete the custom IAM role, and create a service-linked role instead, using the appropriate TF config. The custom role is associated with a managed policy and a custom one. The same should be the case for the service-linked role. The AssumeRole part of the custom role is obsolete. Service-linked roles have that part hard-wired.

Instead of importing the existing but unused service-linked role left-over in prod, and any other account for that matter, we should simply delete the role. AWS documentation states

If you delete this service-linked role, you can use this same process to create the role again.

so we should be able to simply delete the role and recreate it when the updated TF config is applied.

Spike to check every account for a left-over service-linked role for AWS Config.

[achave11-ucsc]

Every account's check for left-over service-linked role for AWS Config.

dev
anvildev
anvilprod
prod

[hannes-ucsc]

To summarize the above: dev and prod have a left-over service-linked role (SLR).

Next steps are

• Delete the left-over SLR from dev
• Wait a week, delete the left-over SLR from prod
• Prepare PR to remove custom role and (re)create SLR, and associate any custom policies to the SLR instead

[achave11-ucsc]

Assignee to complete first step above.

[achave11-ucsc]

Attempting to complete the first step above was unsuccessful due to the following,

It seems this (SLR) is still being used by Config, which prevents us from deleting it.

And via the AWS CLI

❯ aws iam delete-role --role-name AWSServiceRoleForConfig

An error occurred (UnmodifiableEntity) when calling the DeleteRole operation: Cannot perform the operation on the protected role 'AWSServiceRoleForConfig' - this role is only modifiable by AWS

[achave11-ucsc]

https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html#delete-slr

[hannes-ucsc]

There were a bunch of recorders in other regions that had to be deleted, first. After that, the deletion succeeded:

[achave11-ucsc]

Deletion succeeded:

• Wait a week, delete the left-over SLR from prod

Complete.

[hannes-ucsc]

There was supposed to be a waiting period of one week between the deletion in dev and prod.

[achave11-ucsc]

That was my mistake.
Thankfully, it'd been almost two years since the deleted SLR was last used in prod.

[hannes-ucsc]

Thankfully, it'd been almost two years since the deleted SLR was last used in prod.

That's not sufficient evidence that the deletion wouldn't have caused an issue.