Comments (2)
I wanted to provide an update on this. I believe there are issues with the instructions for this.
#1 you need to change the assume role the ec2 instance it supposed to use. I used the EnableSecurityHub.yaml, and as written, it doesn't work. The ec2 needs to assume the role "ManageSecurityHub" not the role "EnableSecurityHub". The way the CFT is built, you need to call the role you are assuming not the role the instance profile has.
#2 If you intend on using this for multiple accounts across regions, you have to modify the s3 bucket profile to allow the new accounts to write to it if you want to use a centralized s3 bucket.
from aws-securityhub-multiaccount-scripts.
The CloudFormation template creates an execution role (ManageSecurityHub) and an instance profile and role. You cannot attach the ManageSecurityHub to the instance because you cannot attach a role directly to an instance but rather can only attach an instance profile. The instance profile, EnableSecurityHub, should only be used in the master account and allows the instance with that profile to assume the execution role. The issue you had is that you attempted to use the role used in the instance profile (EnableSecurityHub) rather than the execution role (ManageSecurityHub) in the command.
from aws-securityhub-multiaccount-scripts.
Related Issues (20)
- AccessDenied when calling the AssumeRole operation
- InvalidInputException HOT 2
- Invalid length for parameter StandardsSubscriptionRequests HOT 2
- AWS Foundational Security Best Practices controls HOT 2
- Error with not-opted-in regions with unspecified --enabled_regions
- Unable to run locally
- Will script support setting up master accounts only for now?
- Error Processing Account HOT 4
- It fails with incorrect error for each region not already enabled HOT 16
- CSV example needed HOT 1
- AWS Config not enabled and SNS topics creation
- Feature: Enable for all accounts in organization HOT 5
- sts:AssumeRole fails for sso user and iam account user HOT 2
- Fails and leaves the accounts in a broken state...
- Doesn't notice failures due to not waiting for config to enable
- Should this work in GovCloud?
- Getting timeout error after assuming role in check_config() part HOT 1
- AWS Foundational Security Best Practices v1.0.0 getting enabled by default HOT 3
- Disable Security Hub on a particular region
- Error: The state/task 'UpdateMembers' returned a result with a size exceeding the maximum number of bytes service limit. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-securityhub-multiaccount-scripts.