Unable to perform config:PutEvaluations due to the lack of permissions on the role

Question

Hello I am trying to add AWS Config in Terraform. I've set up the following policy attachment like so:

resource aws_iam_policy policy {
    name = "test-policy"
    policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "config:PutEvaluations",
        "config:PutConfigRule",
        "config:DeleteConfigRule",
        "config:GetComplianceDetailsByConfigRule",
        "config:DescribeConfigRuleEvaluationStatus"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
      ]
    }
  ]
}
POLICY
}

I've verified that the policy in AWS matches the policy attachment as prescribed above. However, when I visit the AWS Config service in the console I get the following error for each of my config rules:

Unable to perform config:PutEvaluations due to the lack of permissions on the role.

I haven't found any good resources on this issue. I've been scouring around, but nothing has turned up. I only came across this article: https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/. Any help with this issue would be greatly appreciated. For reference I am attaching the policy to the IAM role like so:

resource aws_iam_role_policy_attachment "test-attach" {
    role = aws_iam_role.config.name
    policy_arn = aws_iam_policy.policy.arn
}

resource aws_iam_role config {
  name = "myconfig"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
POLICY
}

Answer 1

config:PutEvaluations can't be restricted by a resource unfortunately. See the AWS user guide on IAM permissions for more information. The guide mentions the following:

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

But the PutEvaluations action, at the time of writing, doesn't have an entry in the Resource types column.

As mentioned in the quote above, you will need to split your statement in two with one unrestricted by resource statement with at least that action and then the other actions in a statement that can be restricted appropriately.

The following should work:

resource "aws_iam_policy" "policy" {
    name = "test-policy"
    policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "config:PutEvaluations"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Action": [
        "config:PutConfigRule",
        "config:DeleteConfigRule",
        "config:GetComplianceDetailsByConfigRule",
        "config:DescribeConfigRuleEvaluationStatus"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
      ]
    }
  ]
}
POLICY
}

Answer 2

I was able to solve my own problem

resource aws_iam_role_policy_attachment "test-attach" {
    role = aws_iam_role.config.name
    policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
}

I used the policy listed in IAM Role Policy for Getting Configuration Details in this document https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html