AUTOMATE+ Deployment requirements and troubleshooting

Overall AUTOMATE+ enables the following AWS services (If not already setup):

⦿ AWS Config
⦿ Security Hub

And we leverage:

⦿ IAM Roles/Policies
⦿ SSM Documents/Parameters
⦿ EventBridge Rules
⦿ Cloudwatch log groups
⦿ Step Functions
⦿ SNS topics
⦿ KMS keys
⦿ S3 buckets

AUTOMATE+ has a few key requirements in order for a deployment to progress smoothly, we attempt to highlight the main ones below;

Note: A Cross Account Role is required during deployment, find more information on this here:
https://www.well-architected.ai/kb/automate%2B-cross-account-role

1. IAM user requirements during deployment

During deployment an IAM user is required to:
‎ ‎ ‎ a) Be logged into the relevant AWS account
‎ ‎ ‎ b) Have permissions to deploy AWS CloudFormation Stacks
‎ ‎ ‎ c) Permitted to deploy & configure the related AWS native services for AUTOMATE+ to function.

2. IAM role requirements

AUTOMATE+ deploys a number of roles which are required in order to facilitate automation post deployment.

These roles are visible within your AWS Account.

The deployed roles have the following name suffixes:
‎ ‎ ‎ a) six-pillars-aws-security
‎ ‎ ‎ b) SO0111
‎ ‎ ‎ c) AWSServiceRole
‎ ‎ ‎ d) AWS-QuickSetup-StackSet

--

Frequently Asked Questions (FAQ)

⦿ Controls are showing as UNKNOWN compliance status in AUTOMATE+

When you first deploy AUTOMATE+ to your AWS account, if this is the first time that you have run AWS Security Hub then it will take between 18 to 24 hours for Security Hub to generate findings.

Where Security Hub has not yet generated findings, a "NO Data" message will appear in the Security Hub control page. In these situations, AUTOMATE+ will display an UNKNOWN compliance status.

There are a number of other reasons that a control may be displaying an UNKNOWN compliance status:
- Controls can be available only in certain AWS Regions. If the a control is not in your chosen AUTOMATE+ deployment region then these controls will display an UNKNOWN compliance status.
- Some controls are dependent on other controls in order to generate an AWS Security Hub Finding. In these instances, Security Hub will display a No Data message and in turn an UNKNOWN compliance status.

Controls showing UNKNOWN status are excluded AUTOMATE+ compliance attainment percentage on the dashboard and other related calculations.

Should you experience any issues while deploying AUTOMATE+, please contact us at support@6pillars.ai and we will be able to assist.