AWS Multi-Account Setup
You can also use the below script provided by AWS Labs to enable a security hub across multiple accounts, follow the below steps to do so.
- Install Python (if not exists already)
sudo apt-get install python3.9 python3.9-pip
- Install boto3 and aws cli (if not installed already”)
python3 -m pip install boto3
- Clone the repo. This command clones the AWS Security Hub Multi-Account Scripts from GitHub.
git clone https://github.com/awslabs /aws-securityhub-multiaccount-scripts.git
- Change the current directory to the script directory
cd aws-securityhub-multiaccount-scripts/multiaccount-enable
- run the script using the below command
python3 enablesecurityhub.py --master_account <Account Id>--assume_role <Service role name> input_file
- master_account: the account ID of the management account from which you will manage all the account’s security findings.
- assume_role: The role name with which the management account and the accounts mentioned in input_file will assume and call the required APIs by assuming this role.
- The role must be created in all accounts, including the management account, with the policy and trusted policy shown below.
Role Policy:
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringLike": { "iam:AWSServiceName": [ "securityhub.amazonaws.com", "config.amazonaws.com" ] } }, "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow" }, { "Action": "securityhub:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "config:DescribeConfigurationRecorders", "config:DescribeDeliveryChannels", "config:DescribeConfigurationRecorderStatus", "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:PutConfigurationRecorder", "config:PutDeliveryChannel", "config:StartConfigurationRecorder" ], "Resource": "*", "Effect": "Allow" }, { "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/aws-service-role/config.amazonaws. com/AWSServiceRoleForConfig", "Effect": "Allow" }, { "Action": [ "s3:CreateBucket", "s3:PutBucketPolicy", "s3:ListBucket" ], "Resource": "arn:aws:s3:::config-bucket-*", "Effect": "Allow" } ] }
Trusted Policy:
{ "Version": "2012-10-17T00:00:00.000Z", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<MasterAccountId>" }, "Action": [ "sts:AssumeRole" ] } ] }
- input_file: The CSV file path, which contains the list of accounts details with Account Id, email Address format
You can automate all the above things using the cloud formation script in EnableSecurityHub.yaml file.After configuring the required things and running the script, your accounts will be enabled with a security hub to track security issues and report them in the console dashboard.
How To Set up AWS Security Hub?
AWS Security Hub is an Open Security Hub Service page that collects the data from the various AWS services and identifies security issues and provides us a comprehensive view of all the issues with cause and remediation.
It helps us to keep our AWS services and applications deployed on AWS more secure., and follow industry-standard security practices.