awslabs / aws-securityhub-multiaccount-scripts Goto Github PK

This script automates the process of running the Security Hub multi-account workflow across a group of accounts that are in your control

License: MIT No Attribution

Python 100.00%

aws-securityhub-multiaccount-scripts's Introduction

AWS Security Hub multi-account scripts

Note:
Security Hub now supports central configuration for security standards and controls across accounts.

Security Hub's central configration feature addresses many of the scenarios that are covered by the scripts in this repository, reducing or eliminating the need to run these scripts. Please refer to the Security Hub central configuration documentation first before going forward with using these scripts.

This repository contains scripts and guidance for enabling and configuring Security Hub and Security Hub features across multiple accounts.

The three scenarios addressed by this repository are:

Multi-account enablement scripts - scripts focused on enabling or disabling Security Hub across many accounts. Applicable for accounts that are not managed by a delegated administrator account.
Multi-account CIS 1.4 enable scripts - scripts focused on enabling the Center for Internet Security AWS Foundational Best Practices v1.4 security standard across many accounts.
Multi-account NIST 800-53 enable scripts - scripts focused on enabling or disabling the NIST 800-53 security standard across many accounts.
Multi-region automation rules deployment - scripts focused on deploying automation rules across multiple regions in an account.

aws-securityhub-multiaccount-scripts's People

Contributors

Stargazers

Watchers

Forkers

jpoley pierreliddle ryanholland ammarion cmattoon thomcost rmorris1218 jiamaozheng chenian adclark1 chaithanya77 belislea magnologan jimy-masyer github85 cruzcloud eramvn usm-inspired-configs brandonawells evrobert polysigninc poeblu hasssammalik vaibhavpokale devopseze piyushsachan1210 mbeacom adewealthgit muhammadnaveedahmed smic-itss acdha kapi76 claytonbrown rckasa l1ahim seaflinn adityavs msmagoo87 corysaws ezoic amitsha256 gregn610 pijain longlivedt arafatheds abdulkhader86 bastiangoonewardena ssteo ks5564 kvaibhawa gabrieljaquish o2346 vlade0520 nickel-tyson-bearnson stevekim-git mi3814 brettcave nickksun isunny0416 vagira spuds51 isabellarossi stmag ralph-thissen honglu zhixueli strongjz vichiee ziqirubik confickerp sam-84 iops uk-gov-mirror iyksam20 kumarchatla math-tsai jonaskriks raji999 ashishbhadouria syllogy shellz-n-stuff jpalmergithub bigskyjj soliton2022 samkenxstream vhascoet gunasekar-0000101 alnash28-stash oodog0126 k3n-74 mcbongfen morluholder mmpkandra isimahei sshamsudheen biolababs fjsnogueira ssgupta2423 hugdora arun-cloudsec

aws-securityhub-multiaccount-scripts's Issues

Feature: Enable for all accounts in organization

I just want security hub enabled on all my accounts. I suspect a lot of people enabling it would like the same.

It is pretty easy to query the list of accounts from within the script, so add an option like "--all" to enable security hub on all accounts in the organization.

Feature:Add optional argument to command line for accepting the Standards Warning

I am trying to run this via a CodePipeline Project, at the moment the task will fail as the code requires user input to accept the deployment of the CIS Benchmarks.

Could an additional positional argument be added to accept this allowing it to run without user input? for example

$python enablesecurityhub.py -y ${enablecsv} --master_account ${AdministratorAccountId} --assume_role ${CodeBuildManageSecurityHubRole} --enable_standards arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0

I will attempt to do this myself, but someone else might be able to perform a quicker fix.

Feature Update - Centralise S3 bucket and enable AWS Config on Master Account

Hi,
Could the script be updated to cater for centralising the logs for AWS Config to the master account, rather than keeping locally.

So rather than "Choosing a bucket from your account", able to choose a "Choose a bucket from another account".

In addition enabling AWS config on the master account, as this is not enabled and AWS complains.

Thanks

Script exits on enabled accounts

If the script reads in an account that already has security hub enabled, it will automatically exit. Ideally, it should skip to the next line/account in the csv until the list is exhausted.

'arn:aws:securityhub:::pci-aws-/v/3.2.1'

Can we support the new PCI compliance?

InvalidInputException(u'An error occurred (InvalidInputException) when calling the BatchEnableStandards operation: Invalid StandardsSubscriptionRequest(s): [{"StandardsArn":"arn:aws:securityhub::pci-aws-/v/3.2.1"}]',)

Error Processing Account

Getting 'error processing account' on almost all accounts except for us-east regions. It errors out if selecting any other regions.

Should this work in GovCloud?

Someone tell me what I'm doing wrong here. Using the latest pull from today. Not sure where the hangup is..

python3 ./enablesecurityhub.py --master_account ************ --assume_role ManageSecurityHub --enable_standards arn:aws-us-gov:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0,standards/aws-foundational-security-best-practices/v/1.0.0  --enabled_regions us-gov-west-1 /home/ec2-user/aws-securityhub-multiaccount-scripts/gov-accounts.csv

Beginning ************ in us-gov-west-1
Error NoSuchBucketException("An error occurred (NoSuchBucketException) when calling the PutDeliveryChannel operation: No such s3 bucket with name 'config-bucket-*****-************'.") enabling Config on account ************
Account ************ is already a member of ************ in region us-gov-west-1
Error Processing Account ************

Error validating or enabling AWS Config for account ************ in us-gov-west-1 - requested standards not enabled

Boto3 session within Master Account is not assuming the ExecutionRole

At line 127 of enablesecurityhub.py, master_session is initiated with boto3.Session(); where it should be utilizing assume_role(args.master_account, args.assume_role). This is required for the implementation of utilizing the InstanceProfile for account setup.

Error: The state/task 'UpdateMembers' returned a result with a size exceeding the maximum number of bytes service limit.

Hi,
We have an large Organizations with more than 1300 accounts overs 17+ regions and this solution was a must for our Security Hub installation. Unfortunately, in DEV Org with less accounts and regions it was working fine until we start implementing it in PROD. If failed at the last iteration #1301 for a total of 9124 events.
We received the following error in our step-function:

States.DataLimitExceeded
The state/task 'UpdateMembers' returned a result with a size exceeding the maximum number of bytes service limit.

Anything we can do to increase this limit? Or it required a change in the code to process it differently?

Fails and leaves the accounts in a broken state...

Ran the script and it failed quite often.

MaAl00350:aws-securityhub-multiaccount-scripts max [master] $ ./enablesecurityhub.py  --master_account 161606123770 --assume_role fromCore org.csv --enabled_regions eu-west-1,eu-west-2
WARNING: Executing a script that is loading libcrypto in an unsafe way. This will fail in a future version of macOS. Set the LIBRESSL_REDIRECT_STUB_ABORT=1 in the environment to force this into an error.
Enabling members in these regions: ['eu-west-1', 'eu-west-2']
Assumed session for 161606123770.
Assumed session for 177825663049.
Beginning 177825663049 in eu-west-1
Error InsufficientDeliveryPolicyException(u'An error occurred (InsufficientDeliveryPolicyException) when calling the PutDeliveryChannel operation: Insufficient delivery policy to s3 bucket: config-bucket-177825663049, unable to assume role: arn:aws:iam::177825663049:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig.',) enabling Config on account 177825663049
Added Account 177825663049 to member list in SecurityHub master account 161606123770 for region eu-west-1
Invited Account 177825663049 to SecurityHub master account 161606123770 in region eu-west-1
Accepting Account 177825663049 to SecurityHub master account 161606123770 in region eu-west-1
Finished 177825663049 in eu-west-1
Beginning 177825663049 in eu-west-2
Added Account 177825663049 to member list in SecurityHub master account 161606123770 for region eu-west-2
Invited Account 177825663049 to SecurityHub master account 161606123770 in region eu-west-2
Accepting Account 177825663049 to SecurityHub master account 161606123770 in region eu-west-2
Finished 177825663049 in eu-west-2
Assumed session for 304071828426.
Beginning 304071828426 in eu-west-1
Added Account 304071828426 to member list in SecurityHub master account 161606123770 for region eu-west-1
Invited Account 304071828426 to SecurityHub master account 161606123770 in region eu-west-1
Accepting Account 304071828426 to SecurityHub master account 161606123770 in region eu-west-1
Finished 304071828426 in eu-west-1
Beginning 304071828426 in eu-west-2
Added Account 304071828426 to member list in SecurityHub master account 161606123770 for region eu-west-2
Invited Account 304071828426 to SecurityHub master account 161606123770 in region eu-west-2
Accepting Account 304071828426 to SecurityHub master account 161606123770 in region eu-west-2
Finished 304071828426 in eu-west-2
Assumed session for 417831697585.
Beginning 417831697585 in eu-west-1
Added Account 417831697585 to member list in SecurityHub master account 161606123770 for region eu-west-1
Invited Account 417831697585 to SecurityHub master account 161606123770 in region eu-west-1
Accepting Account 417831697585 to SecurityHub master account 161606123770 in region eu-west-1
Finished 417831697585 in eu-west-1
Beginning 417831697585 in eu-west-2
Added Account 417831697585 to member list in SecurityHub master account 161606123770 for region eu-west-2
Invited Account 417831697585 to SecurityHub master account 161606123770 in region eu-west-2
Accepting Account 417831697585 to SecurityHub master account 161606123770 in region eu-west-2
Finished 417831697585 in eu-west-2
Assumed session for 086867758037.
Beginning 086867758037 in eu-west-1
Error InsufficientDeliveryPolicyException(u'An error occurred (InsufficientDeliveryPolicyException) when calling the PutDeliveryChannel operation: Insufficient delivery policy to s3 bucket: config-bucket-086867758037, unable to assume role: arn:aws:iam::086867758037:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig.',) enabling Config on account 086867758037
Added Account 086867758037 to member list in SecurityHub master account 161606123770 for region eu-west-1
Invited Account 086867758037 to SecurityHub master account 161606123770 in region eu-west-1
Accepting Account 086867758037 to SecurityHub master account 161606123770 in region eu-west-1
Finished 086867758037 in eu-west-1
Beginning 086867758037 in eu-west-2
Added Account 086867758037 to member list in SecurityHub master account 161606123770 for region eu-west-2
Invited Account 086867758037 to SecurityHub master account 161606123770 in region eu-west-2
Accepting Account 086867758037 to SecurityHub master account 161606123770 in region eu-west-2
Finished 086867758037 in eu-west-2
Assumed session for 083816131855.
Beginning 083816131855 in eu-west-1
Error InsufficientDeliveryPolicyException(u'An error occurred (InsufficientDeliveryPolicyException) when calling the PutDeliveryChannel operation: Insufficient delivery policy to s3 bucket: config-bucket-083816131855, unable to assume role: arn:aws:iam::083816131855:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig.',) enabling Config on account 083816131855
Added Account 083816131855 to member list in SecurityHub master account 161606123770 for region eu-west-1
Invited Account 083816131855 to SecurityHub master account 161606123770 in region eu-west-1
Accepting Account 083816131855 to SecurityHub master account 161606123770 in region eu-west-1
Finished 083816131855 in eu-west-1
Beginning 083816131855 in eu-west-2
Added Account 083816131855 to member list in SecurityHub master account 161606123770 for region eu-west-2
Invited Account 083816131855 to SecurityHub master account 161606123770 in region eu-west-2
Accepting Account 083816131855 to SecurityHub master account 161606123770 in region eu-west-2
Finished 083816131855 in eu-west-2
Assumed session for 401787195176.
Beginning 401787195176 in eu-west-1
Error InsufficientDeliveryPolicyException(u'An error occurred (InsufficientDeliveryPolicyException) when calling the PutDeliveryChannel operation: Insufficient delivery policy to s3 bucket: config-bucket-401787195176, unable to assume role: arn:aws:iam::401787195176:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig.',) enabling Config on account 401787195176
Added Account 401787195176 to member list in SecurityHub master account 161606123770 for region eu-west-1
Invited Account 401787195176 to SecurityHub master account 161606123770 in region eu-west-1
Accepting Account 401787195176 to SecurityHub master account 161606123770 in region eu-west-1
Finished 401787195176 in eu-west-1
Beginning 401787195176 in eu-west-2
Added Account 401787195176 to member list in SecurityHub master account 161606123770 for region eu-west-2
Invited Account 401787195176 to SecurityHub master account 161606123770 in region eu-west-2
Accepting Account 401787195176 to SecurityHub master account 161606123770 in region eu-west-2
Finished 401787195176 in eu-west-2

......
---------------------------------------------------------------
Failed Accounts
---------------------------------------------------------------
177825663049: 
	Error validating or enabling AWS Config for account 177825663049 in eu-west-1 - requested standards not enabled
086867758037: 
	Error validating or enabling AWS Config for account 086867758037 in eu-west-1 - requested standards not enabled
083816131855: 
	Error validating or enabling AWS Config for account 083816131855 in eu-west-1 - requested standards not enabled
401787195176: 
	Error validating or enabling AWS Config for account 401787195176 in eu-west-1 - requested standards not enabled
486105608128: 
	Error validating or enabling AWS Config for account 486105608128 in eu-west-1 - requested standards not enabled

My role has the built in AWS "AdministratorAccess" policy in the 083816131855 account.

When I try to enable Config by hand in eu-west-1 in the console, I get an error :

AWS Config cannot start recording because the delivery channel was not found.

In eu-west-2 it has created a delivery channel but not in eu-west-1 :

MaAl:aws-securityhub-multiaccount-scripts max [master] $ aws configservice describe-delivery-channels --region eu-west-2
{
    "DeliveryChannels": [
        {
            "name": "config-s3-delivery",
            "s3BucketName": "config-bucket-083816131855",
            "configSnapshotDeliveryProperties": {
                "deliveryFrequency": "TwentyFour_Hours"
            }
        }
    ]
}
MaAl:aws-securityhub-multiaccount-scripts max [master] $ aws configservice describe-delivery-channels --region eu-west-1
{
    "DeliveryChannels": []
}

If I take the DeliveryChannel json from eu-west-2, I can apply it to eu-west-1 with a put-delivery-channel CLI command.

And then enable config from the console.

I believe the cause of the problem is that you are not waiting for the AWSServiceRoleForConfig to be fully created before using it. IAM is a global service and it takes time for changes to replicate around the globe.

https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html

We recommend that you do not include such IAM changes in the critical, high-availability code paths of your application. Instead, make IAM changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them.

A loop through all accounts creating the role first and then doing the work would be a more reliable design.

Rerunning the script seems to be fixing it.

Option - Lambda Function

Hi,
Will it be possible to migrate the code into a lambda function, rather than having a ec2?. Thanks

CSV example needed

Hi,

Please create a sample CSV file with member "AccountID,root email" and upload to project.

I keep getting "Invalid account number "MyAcct###, skipping .. for a response from a local test csv file. My account number is valid, a formatting issue it appears.

Thank you,

Disable Security Hub on a particular region

For a managed Org, how can I remove a region from the enabled regions? Do we have to completely disable Security Hub? Also, when running the disable script, how do you disable Security Hub for only that one account? not for all the invited account.

AWS Config not enabled and SNS topics creation

Hi,

My master member (control tower account landscape) did not get AWS Config enabled after running the EnableSecurityHub python script.

Another issue I see is that one member account got 3 SNS (SecurityNotify*+2 others) Topics and the other member got 1 SNS (SecurityNotifiy) Topic, again, after runningthe above python script. Wondering why?

Thank you.
Spuds51

Getting timeout error after assuming role in check_config() part

Hi, I'm running the script on AWS Lambda. I get timeout error under " # Processing accounts to be linked" part after:

sh_client = session.client('securityhub', region_name=aws_region)

Output:

Beginning $accountid in eu-west-1

END RequestId: 107f2b3c-8b34-4da7-a1a5-1c913e71c75c
REPORT RequestId: 107f2b3c-8b34-4da7-a1a5-1c913e71c75c	Duration: 3003.47 ms	Billed Duration: 3000 ms	Memory Size: 128 MB	Max Memory Used: 87 MB	Init Duration: 264.31 ms	
2021-02-02T11:30:25.371Z 107f2b3c-8b34-4da7-a1a5-1c913e71c75c Task timed out after 3.00 seconds

Any help would be appreciated.

Will script support setting up master accounts only for now?

Will the python script work if I only want to enable the master account for now, and no members yet, but I want to take advantage of all the other setup it does? If so, will I be able to easily add a member with the script later on?

Also will this work in Govcloud in the same way?

script exists abruptly - looks like permission issue

Hi,
I am trying to run the code to setup SecurityGuard for our environment. I ran it locally as well as via EC2 instance it failed with the access issue both times.
below is the error message that I received after adding a print statement in exception block:
"An error occurred (UnrecognizedClientException) when calling the EnableSecurityHub operation: The security token included in the request is invalid
Error: Unable to enable Security Hub on Master account in region ap-east-1"

The script exits at this point. i am using the provided scripts as is for the most part. And also used the yaml provided for the role configuration.

I tested from aws cli to confirm my credentials, they are fine. I have also assigned the Instance Profile to the EC2 instance.

Doesn't notice failures due to not waiting for config to enable

After running the script I was find a lot of Critical findings in status "Warning".
Attempting to view the rule related to the finding in the console took me to an empty rule definition page and/or errors in Config. Further investigation shows the rules don't even exist in Config.

I suspect this is because the script does not wait for Config to be enabled before enabling Security Hub. So SH thinks it has created the rule for the finding but the rule does not exist.
The only way to fix this is to disable/enable the standards.
eg :

MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
    "securityhub-cloud-trail-encryption-enabled-b61f8eaf",
    "securityhub-codebuild-project-source-repo-url-check-bc429527",
    "securityhub-dms-replication-not-public-fd0e6f54",
    "securityhub-efs-encrypted-check-e5244c06",
    "securityhub-vpc-default-security-group-closed-2a891050",
    "securityhub-vpc-flow-logs-enabled-3042d788"
]
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "READY"
        }
    ]
}

AWS foundation should have a lot more rules than that!
So, lets disable and wait for it ....

MaAl00350:~ max $ aws securityhub batch-disable-standards  --standards-subscription-arns  "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0"
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "DELETING"
        }
    ]
}
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
    "StandardsSubscriptions": []
}

Wait a few minutes and then another minute :

MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
    "securityhub-vpc-default-security-group-closed-2a891050",
    "securityhub-vpc-flow-logs-enabled-3042d788"
]
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[]

Finally all the rules are gone. Re-enable the standard :

MaAl00350:~ max $ aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0"}'
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "PENDING"
        }
    ]
}
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "READY"
        }
    ]
}
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
    "securityhub-access-keys-rotated-4338bdd1",
    "securityhub-acm-certificate-expiration-check-a9c4abea",
    "securityhub-alb-http-to-https-redirection-check-48339d98",
    "securityhub-autoscaling-group-elb-healthcheck-required-a8d0729f",
    "securityhub-cloud-trail-encryption-enabled-348ac493",
    "securityhub-codebuild-project-envvar-awscred-check-bd1bccda",
    "securityhub-codebuild-project-source-repo-url-check-55df4d3f",
    "securityhub-dms-replication-not-public-9aba3179",
    "securityhub-ebs-snapshot-public-restorable-check-6169ceb8",
    "securityhub-ec2-instance-managed-by-ssm-599c6972",
    "securityhub-ec2-managedinstance-association-compliance-status-check-b69a86ef",
    "securityhub-ec2-managedinstance-patch-compliance-00bf694d",
    "securityhub-ec2-stopped-instance-38153549",
    "securityhub-efs-encrypted-check-82f1aaa9",
    "securityhub-elasticsearch-encrypted-at-rest-58658303",
    "securityhub-encrypted-volumes-fc3a8ba4",
    "securityhub-guardduty-enabled-centralized-b514c146",
    "securityhub-iam-password-policy-recommended-defaults-64365480",
    "securityhub-iam-policy-no-statements-with-admin-access-bce4701f",
    "securityhub-iam-root-access-key-check-a7c95be2",
    "securityhub-iam-user-no-policies-check-34076ae3",
    "securityhub-lambda-function-public-access-prohibited-ad1f8609",
    "securityhub-lambda-function-settings-check-a569e4c9",
    "securityhub-mfa-enabled-for-iam-console-access-e80a849c",
    "securityhub-multi-region-cloud-trail-enabled-049fa6e6",
    "securityhub-rds-instance-public-access-check-1c0f0f3e",
    "securityhub-rds-snapshots-public-prohibited-6c85734e",
    "securityhub-rds-storage-encrypted-ccdb6b6e",
    "securityhub-root-account-hardware-mfa-enabled-7751db16",
    "securityhub-s3-account-level-public-access-blocks-c9fe23a1",
    "securityhub-s3-bucket-public-read-prohibited-66251a8f",
    "securityhub-s3-bucket-public-write-prohibited-71d10c81",
    "securityhub-s3-bucket-server-side-encryption-enabled-93f8c50f",
    "securityhub-s3-bucket-ssl-requests-only-0feab26a",
    "securityhub-sagemaker-notebook-no-direct-internet-access-21638603",
    "securityhub-vpc-default-security-group-closed-10798b7d",
    "securityhub-vpc-flow-logs-enabled-ff14d6e9"
]

If you don't do this, some of your findings will be forever in the broken state and you will never get a pass/fail.

I think the script needs to handle enabling config better by waiting for it.

Perhaps at the end of check_config a loop checking config.describe_configuration_recorder_status()['ConfigurationRecordersStatus'][0]['recording'] before exiting the function.

AccessDenied when calling the AssumeRole operation

python enablesecurityhub.py --master_account MASTERACCOUNTID --assume_role ManageSecurityHub --enabled_regions ap-south-1 enable.csv
Enabling members in these regions: ['ap-south-1']
Assumed session for MASTERACCOUNT ID.
Error Processing Account MEMBERACCOUNTID

Failed Accounts

XXXXXXXXX:
ClientError(u'An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::MASTERACCOUNTID:assumed-role/ManageSecurityHubInstanceRole/i-0a8a33c4f573xxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::MEMBERACCOUNTID:role/ManageSecurityHub',)

Option 1 selected. [EC2 instance with enablesecurityhub]

Could see the same IAM roles in master account and member account. Ran CFT to create the roles and instance profile,policy. Not sure what am i missing here. Any assistance here please.

Assume

I ran the EnableSecurityHub CFT in a member account and the master account. I spun up and EC2 and assigned it the EnableSecurityHub Profile and ran the python script and got the below errors.

./enablesecurityhub.py accounts.csv --master_account 1234567891011 --assume_role EnableSecurityHub
Enabling members in all available SecurityHub regions [u'ap-northeast-1', u'ap-northeast-2', u'ap-south-1', u'ap-southeast-1', u'ap-southeast-2', u'ca-central-1', u'eu-central-1', u'eu-west-1', u'eu-west-2', u'eu-west-3', u'sa-east-1', u'us-east-1', u'us-east-2', u'us-west-1', u'us-west-2']
Traceback (most recent call last):
File "./enablesecurityhub.py", line 252, in
master_session = assume_role(args.master_account, args.assume_role)
File "./enablesecurityhub.py", line 52, in assume_role
RoleSessionName='EnableSecurityHub'
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

both accounts have the same IAM config for the role. Not sure why it appears there is an access denied issue.

It fails with incorrect error for each region not already enabled

I run the script, with the list of regions and arns for standards and it enables securityhub for the first region in the list and then exits the script with the error:
Error: Unable to enable Security Hub on Master account in region us-west-1

But when i go to AWS console, that region's SecurityHub was enabled

If i disable securityhub for that region and run the script again, it'll display the same thing, but enable it again

If I leave the region enabled and run the script again, it'll enable the next region in the list, but exit with the same error for that region:

[ec2-user@<host> aws-securityhub-multiaccount-scripts]$ ./enablesecurityhub.py --master_account <account-id> --enable_standards arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0,arn:aws:securityhub:us-west-2::standards/aws-foundational-security-best-practices/v/1.0.0 --assume_role ManageSecurityHub --enabled_regions us-west-1,us-west-2,us-east-1,us-east-2,eu-west-1,eu-west-2,eu-west-3,eu-central-1,eu-north-1,ap-south-1,ap-northeast-1,ap-northeast-2,ap-northeast-3,ap-southeast-1,ap-southeast-2,ca-central-1,sa-east-1 members.csv

        *****************************************************************************************************************************************************************************************
        *      By turning on this Standards you will enable security evaluations to run. For current pricing and example scenarios please refer to the current AWS Security Hub pricing.        *
        *      Important: You must enable AWS Config for all resources in each AWS Region where you will be running a Standard. If Config is not already enabled it will be enabled and         *
        *      configured in each region.                                                                                                                                                       *
        *                                                                                                                                                                                       *
        *      In addition to AWS Security Hub charges, you will also incur charges for the Configuration Items recorded by AWS Config, as per the AWS Config pricing. These charges are        *
        *      separate from (and not included in) AWS Security Hub pricing.                                                                                                                    *
        *****************************************************************************************************************************************************************************************

        Continue?(yes/no):

yes
Enabling members in these regions: ['us-west-1', 'us-west-2', 'us-east-1', 'us-east-2', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'eu-central-1', 'eu-north-1', 'ap-south-1', 'ap-northeast-1', 'ap-northeast-2', 'ap-northeast-3', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'sa-east-1']
Enabling the following Security Hub Standards for enabled account(s) and region(s): ['arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0', 'arn:aws:securityhub:us-west-2::standards/aws-foundational-security-best-practices/v/1.0.0']
Assumed session for <account-id>.
Error: Unable to enable Security Hub on Master account in region us-west-1

AWS Foundational Security Best Practices controls

Any updates needed to enable https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html

As well can we please share the syntax to enable. Thanks in advanced.

--assume_role is not work

Execute enablesecurityhub.py to deny access to the Assume Role.

In the “Option 1: Launch EC2 instance” scenario, the following error is displayed:

Is the wrong way to specify the "--assume_role" option?
I specified ARN and role name, but the result was the same.

Error Message

$ python enablesecurityhub.py --master_account xxxxxxxxxxxx --assume_role arn:aws:iam::xxxxxxxxxxxx:role/ManageSecurityHub enable.csv
Enabling members in all available SecurityHub regions [u'ap-northeast-1', u'ap-northeast-2', u'ap-south-1', u'ap-southeast-1', u'ap-southeast-2', u'ca-central-1', u'eu-central-1', u'eu-west-1', u'eu-west-2', u'eu-west-3', u'sa-east-1', u'us-east-1', u'us-east-2', u'us-west-1', u'us-west-2']
Traceback (most recent call last):
  File "enablesecurityhub.py", line 252, in <module>
    master_session = assume_role(args.master_account, args.assume_role)
  File "enablesecurityhub.py", line 52, in assume_role
    RoleSessionName='EnableSecurityHub'
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Environmental information

$ aws --version
aws-cli/1.16.173 Python/2.7.14 Linux/4.14.114-105.126.amzn2.x86_64 botocore/1.12.163

$ curl http://169.254.169.254/latest/meta-data/iam/info
{
  "Code" : "Success",
  "LastUpdated" : "2019-06-07T11:54:32Z",
  "InstanceProfileArn" : "arn:aws:iam::xxxxxxxxxxxx:instance-profile/EnableSecurityHub",
  "InstanceProfileId" : "AIPAX5XYUN4PPWTZRY2JU"
}

Invalid account number ·53832227****, skipping

I am getting the following error when using enablesecurityhub.py

Invalid account number ·53832227****, skipping

I have checked the account number is accurate in the csv file. I have noticed that it has a small dot in front of the account number in the error message. This is not there in the csv, is this related?

Need a way to get the security hub details by aws account ID and region

Current;y, we do not have any way to check if the security hub is enabled for particular aws account in a particular region (or list of regions.) There are multiple such use cases when we need to get the AWS Security hub by these fields.

InvalidInputException

While using the latest script

/home/ssm-user/aws-securityhub-multiaccount-scripts/enablesecurityhub.py --master_account 999999999999 --assume_role tw_guardduty_sechub --enabled_regions us-east-1 --enable_standards arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0,arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1 /home/ssm-user/input.csv

We are getting the below error

Enabling members in these regions: ['us-east-1']
Enabling the following Security Hub Standards for enabled account(s) and region(s): ['arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0', 'arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1']
Assumed session for 999999999999.
Assumed session for 333333333333.
Beginning 333333333333 in us-east-1
Error Processing Account 333333333333

Failed Accounts

333333333333:
InvalidInputException(u'An error occurred (InvalidInputException) when calling the BatchEnableStandards operation: Invalid StandardsSubscriptionRequest(s): [{"StandardsArn":"arn:aws:securityhub:us-east-1::arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1"}]',)

Combine AWS Control Tower and AWS Security Hu

Hi,

Thanks for uploading the script.

I am trying to implement you scripts into our AWS Control Tower setup, which has the following accounts - Master, Audit and Log. I was wondering if it is possible to get the script to work with having the Audit account as being the primary account, rather than Master Account.
I am trying to combine AWS Control Tower & AWS Security Hub and use the Audit account as the Security account for AWS Cloutrail, Config, GuardDuty etc...

Thanks

Invalid length for parameter StandardsSubscriptionRequests

Getting the following error when executing the codebuild job to enable multiple accounts:

Full Output:
Traceback (most recent call last):
File "enablesecurityhub.py", line 351, in
sh_client.batch_enable_standards(StandardsSubscriptionRequests=batch_enable_standards_input)
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 599, in _make_api_call
api_params, operation_model, context=request_context)
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 647, in _convert_to_request_dict
api_params, operation_model)
File "/usr/local/lib/python2.7/dist-packages/botocore/validate.py", line 297, in serialize_to_request
raise ParamValidationError(report=report.generate_report())
botocore.exceptions.ParamValidationError: Parameter validation failed:
Invalid length for parameter StandardsSubscriptionRequests, value: 0, valid range: 1-inf

Documentation: argument for --enabled_regions is not shown

In the documentation for enable the flag for --enabled_regions is not shown. It is shown in the disable.py

sts:AssumeRole fails for sso user and iam account user

I am running the command with:

python enablesecurityhub.py --master_account snip --assume_role arn:aws:iam::snip:role/enableSecHub --enabled_regions us-east-1,us-east-2 --enable_standards arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 accounts.csv

Invalid account number Account ID, skipping Enabling members in these regions: ['us-east-1', 'us-east-2'] Enabling the following Security Hub Standards for enabled account(s) and region(s): ['arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0'] Traceback (most recent call last): File "enablesecurityhub.py", line 254, in <module> master_session = assume_role(args.master_account, args.assume_role) File "enablesecurityhub.py", line 53, in assume_role RoleSessionName='EnableSecurityHub' File "/Users/a/Library/Python/2.7/lib/python/site-packages/botocore/client.py", line 316, in _api_call return self._make_api_call(operation_name, kwargs) File "/Users/a/Library/Python/2.7/lib/python/site-packages/botocore/client.py", line 635, in _make_api_call raise error_class(parsed_response, operation_name)botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::snipped is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::snip:role/arn:aws:iam::snip:role/enableSecHub

I have tried creating roles and policies to explicitly allow either user and neither have worked. I have also tried running this locally and from within a ec2 instance inside the master account with associated iam resources.

Expected result is the script to complete successfully with various aws accounts reporting in to the master account.

Unable to run locally

I'm unable to run this locally, as suggested by the readme file in "Ensure you have credentials setup on your local machine for your master account that have permission to call AssumeRole." That sentence is not sufficiently clear.

Typically running locally you use a profile, in our case integrated with AWS SSO, but this tool doesn't seem to support that.

Here's the error I get:

Enabling members in these regions: ['ap-southeast-2']
Traceback (most recent call last):
  File "C:\Documents\code\cps-aws-platform2\tools\aws-securityhub-multiaccount-scripts\enablesecurityhub.py", line 254, in <module>
    master_session = assume_role(args.master_account, args.assume_role)
  File "C:\Documents\code\cps-aws-platform2\tools\aws-securityhub-multiaccount-scripts\enablesecurityhub.py", line 45, in assume_role
    partition = sts_client.get_caller_identity()['Arn'].split(":")[1]
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\client.py", line 621, in _make_api_call
    http, parsed_response = self._make_request(
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\client.py", line 641, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\endpoint.py", line 132, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\endpoint.py", line 115, in create_request
    self._event_emitter.emit(event_name, request=request,
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\signers.py", line 160, in sign
    auth.add_auth(request)
  File "C:\Users\username\AppData\Roaming\Python\Python38\site-packages\botocore\auth.py", line 357, in add_auth
    raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials

Error with not-opted-in regions with unspecified --enabled_regions

Hi team

Following errors show up when --enabled_regions was not specified.
It is likely because when target account ships not-opted-in regions but the result of session.get_available_regions('securityhub') includes such ones. (in my case ap-east-1,me-south-1)


        *****************************************************************************************************************************************************************************************
        *      By turning on this Standards you will enable security evaluations to run. For current pricing and example scenarios please refer to the current AWS Security Hub pricing.        *
        *      Important: You must enable AWS Config for all resources in each AWS Region where you will be running a Standard. If Config is not already enabled it will be enabled and         *
        *      configured in each region.                                                                                                                                                       *
        *                                                                                                                                                                                       *
        *      In addition to AWS Security Hub charges, you will also incur charges for the Configuration Items recorded by AWS Config, as per the AWS Config pricing. These charges are        *
        *      separate from (and not included in) AWS Security Hub pricing.                                                                                                                    *
        *****************************************************************************************************************************************************************************************

        Continue?(yes/no):

Enabling members in all available SecurityHub regions ['ap-east-1', 'ap-northeast-1', 'ap-northeast-2', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-central-1', 'eu-north-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'me-south-1', 'sa-east-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']
Enabling the following Security Hub Standards for enabled account(s) and region(s): ['arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0']
Assumed session for 111111111111.
Error: Unable to enable Security Hub on Master account in region {}
Traceback (most recent call last):
  File "./enablesecurityhub.py", line 262, in <module>
    master_clients[aws_region].enable_security_hub()
  File "/usr/local/lib/python3.5/dist-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.5/dist-packages/botocore/client.py", line 626, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the EnableSecurityHub operation: The security token included in the request is invalid

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./enablesecurityhub.py", line 292, in <module>
    print("Error: Unable to enable Security Hub on Master account in region {}").format(aws_region)
AttributeError: 'NoneType' object has no attribute 'format'

Then it exits
https://github.com/awslabs/aws-securityhub-multiaccount-scripts/blob/master/enablesecurityhub.py#L292

same error through cli

% aws securityhub enable-security-hub --region ap-east-1

An error occurred (UnrecognizedClientException) when calling the EnableSecurityHub operation: The security token included in the request is invalid

env

% aws --version
aws-cli/1.16.206 Python/3.5.2 Linux/4.10.0-38-generic botocore/1.15.44
% uname -a
Linux xxxx-desktop 4.10.0-38-generic #42~16.04.1-Ubuntu SMP Tue Oct 10 16:32:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

In order to avoid such error, just exclude not-opted-in regions then it's fine. But it means, I'm being forced to consider which region was which opt-in status and then enumerate approperate ones by myself, on every executions. It's kind of challenging.

I expected 'available regions' does not contain no-opted-in regions on my account.
On the other hand, your implementation means 'available regions' differently. It seems to be absent from consideration about opt-in-status on individual accounts.
https://github.com/awslabs/aws-securityhub-multiaccount-scripts/blob/master/enablesecurityhub.py#L243

But there is no point to try to enable Security Hub on the regions those have not even been opted in, perhaps for many users.
Therefore, It would be really helpful if your implementation was responsible to handle that consideration by default.

In the meantime, I wrote small script shown below to enumerate the regions exactly I want.
https://gist.github.com/o2346/e0fa3eeb8c67ff51660c354ee3cabdba#file-get_securityhub_regions_optedin-py
Is it possible to implement feature like this on your side?
(Or to update to coninue for following regions in the for-loop to be processed, even if not-opted-in region was given, instead of aborting.)

Thanks

`get_available_regions()` returns empty list

aws-securityhub-multiaccount-scripts/enablesecurityhub.py

Line 134 in c493168

securityhub_regions = session.get_available_regions('securityhub')

Python 2.7.15rc1 (default, Nov 12 2018, 14:31:15)
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> boto3.session.Session().get_available_regions("securityhub")
[]
>>>

I would expect this to return a list of available regions, as it does for guardduty or ec2.

>>> boto3.session.Session().get_available_regions("guardduty")
[u'ap-northeast-1', u'ap-northeast-2', u'ap-south-1', u'ap-southeast-1', u'ap-southeast-2', u'ca-central-1', u'eu-central-1', u'eu-west-1', u'eu-west-2', u'eu-west-3', u'sa-east-1', u'us-east-1', u'us-east-2', u'us-west-1', u'us-west-2']
>>>

AWS Foundational Security Best Practices v1.0.0 getting enabled by default

When I run a command like below against only cis benchmarks enablement, AWS Foundational Security Best Practices v1.0.0 also getting enabled by default. Is it possible not to enable AWS Foundational Security Best Practices v1.0.0 by default.

enablesecurityhub.py --master_account *** --assume_role ManageSecurityHub1 --enabled_regions us-west-2 --enable_standards arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 accounts.csv

awslabs / aws-securityhub-multiaccount-scripts Goto Github PK

aws-securityhub-multiaccount-scripts's Introduction

AWS Security Hub multi-account scripts

aws-securityhub-multiaccount-scripts's People

Contributors

Stargazers

Watchers

Forkers

aws-securityhub-multiaccount-scripts's Issues

python enablesecurityhub.py --master_account MASTERACCOUNTID --assume_role ManageSecurityHub --enabled_regions ap-south-1 enable.csv Enabling members in these regions: ['ap-south-1'] Assumed session for MASTERACCOUNT ID. Error Processing Account MEMBERACCOUNTID

Failed Accounts

Error Message

Environmental information

Failed Accounts

333333333333: InvalidInputException(u'An error occurred (InvalidInputException) when calling the BatchEnableStandards operation: Invalid StandardsSubscriptionRequest(s): [{"StandardsArn":"arn:aws:securityhub:us-east-1::arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1"}]',)

Recommend Projects

Recommend Topics

Recommend Org

python enablesecurityhub.py --master_account MASTERACCOUNTID --assume_role ManageSecurityHub --enabled_regions ap-south-1 enable.csv
Enabling members in these regions: ['ap-south-1']
Assumed session for MASTERACCOUNT ID.
Error Processing Account MEMBERACCOUNTID

333333333333:
InvalidInputException(u'An error occurred (InvalidInputException) when calling the BatchEnableStandards operation: Invalid StandardsSubscriptionRequest(s): [{"StandardsArn":"arn:aws:securityhub:us-east-1::arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1"}]',)