Knowledge Base

security hub errors about regions not opted in

View full discussion in GitHub

Answer

So we are seeing errors from security hub, for regions that we haven't opted into for the reference arch. ``` [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_ap_northeast_1[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 200, in resource "aws_securityhub_invite_accepter" "invitee_ap_northeast_1": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 200: resource "aws_securityhub_invite_accepter" "invitee_ap_northeast_1" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_ap_northeast_2[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 258, in resource "aws_securityhub_invite_accepter" "invitee_ap_northeast_2": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 258: resource "aws_securityhub_invite_accepter" "invitee_ap_northeast_2" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_ap_south_1[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 374, in resource "aws_securityhub_invite_accepter" "invitee_ap_south_1": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 374: resource "aws_securityhub_invite_accepter" "invitee_ap_south_1" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_ap_southeast_1[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 432, in resource "aws_securityhub_invite_accepter" "invitee_ap_southeast_1": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 432: resource "aws_securityhub_invite_accepter" "invitee_ap_southeast_1" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_ap_southeast_2[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 490, in resource "aws_securityhub_invite_accepter" "invitee_ap_southeast_2": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 490: resource "aws_securityhub_invite_accepter" "invitee_ap_southeast_2" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_ca_central_1[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 606, in resource "aws_securityhub_invite_accepter" "invitee_ca_central_1": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 606: resource "aws_securityhub_invite_accepter" "invitee_ca_central_1" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_eu_central_1[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 664, in resource "aws_securityhub_invite_accepter" "invitee_eu_central_1": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 664: resource "aws_securityhub_invite_accepter" "invitee_eu_central_1" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_eu_north_1[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 722, in resource "aws_securityhub_invite_accepter" "invitee_eu_north_1": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 722: resource "aws_securityhub_invite_accepter" "invitee_eu_north_1" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_eu_west_1[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 838, in resource "aws_securityhub_invite_accepter" "invitee_eu_west_1": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 838: resource "aws_securityhub_invite_accepter" "invitee_eu_west_1" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_eu_west_2[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 896, in resource "aws_securityhub_invite_accepter" "invitee_eu_west_2": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 896: resource "aws_securityhub_invite_accepter" "invitee_eu_west_2" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_eu_west_3[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 954, in resource "aws_securityhub_invite_accepter" "invitee_eu_west_3": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 954: resource "aws_securityhub_invite_accepter" "invitee_eu_west_3" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╷ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ Error: Cannot find InvitationId for MasterId ******************** [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ with module.security_hub.aws_securityhub_invite_accepter.invitee_sa_east_1[0], [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ on ../../security/aws-securityhub/main.tf line 1070, in resource "aws_securityhub_invite_accepter" "invitee_sa_east_1": [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ 1070: resource "aws_securityhub_invite_accepter" "invitee_sa_east_1" { [ecs-deploy-runner][2022-04-28T18:19:04+0000] │ [ecs-deploy-runner][2022-04-28T18:19:04+0000] ╵ ``` Our regions are configured as such in multi_region_common.hcl ``` # ---------------------------------------------------------------------------------------------------------------- # MULTIREGION CONVENIENCE LOCALS # The following locals are used for constructing multi region provider configurations for the underlying module. # ---------------------------------------------------------------------------------------------------------------- locals { # A list of all AWS regions all_aws_regions = [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ap-southeast-3", "ca-central-1", "cn-north-1", "cn-northwest-1", "eu-central-1", "eu-north-1", "eu-south-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2", ] # Creates resources in the specified regions. The best practice is to enable multiregion modules in all enabled # regions in your AWS account. To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws # ec2 describe-regions. opt_in_regions = [ # Disables as we will not operate in these regions anytime soon "eu-north-1", "ap-south-1", "eu-west-3", "eu-west-2", "eu-west-1", "ap-northeast-2", "ap-northeast-1", "sa-east-1", "ca-central-1", "ap-southeast-1", "ap-southeast-2", "eu-central-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2", # By default, skip regions that are not enabled in most AWS accounts: # # "af-south-1", # Cape Town # "ap-east-1", # Hong Kong # "eu-south-1", # Milan # "me-south-1", # Bahrain # "us-gov-east-1", # GovCloud # "us-gov-west-1", # GovCloud # "cn-north-1", # China # "cn-northwest-1", # China # # This region is enabled by default but is brand-new and some services like AWS Config don't work. # "ap-northeast-3", # Asia Pacific (Osaka) ] } ``` --- <ins datetime="2022-04-28T18:35:34Z"> <p><a href="https://gruntwork.zendesk.com/agent/tickets/108524">Tracked in ticket #108524</a></p> </ins>

> Cannot find InvitationId for MasterId This is an issue where the Security Hub master account has not invited the current account, and thus the current account can't accept the invite to associate to the master account. If you had opted out of those regions in the `logs` account, then it explains why it is failing in the child accounts because you had removed the invites from the `logs` account to the children for those regions. This is why it works when you removed those regions in the children, because now it is in sync with the state of the `logs` account.