script exists abruptly - looks like permission issue about aws-securityhub-multiaccount-scripts HOT 7 CLOSED

enabled_regions takes a comma separated string of regions, ie: us-east-1,us-east-2,us-west-1... so remove the 's and [] from your command line

from aws-securityhub-multiaccount-scripts.

Can you include the command line you are using? Ensure that you have the correct role name (ManageSecurityHub) in the command

from aws-securityhub-multiaccount-scripts.

Hi, Yes I am running with the correct rolename , Below is the command :
./enablesecurityhub.py --master_account --assume_role ManageSecurityHub input.csv

from aws-securityhub-multiaccount-scripts.

Complete message :
Enabling members in all available SecurityHub regions [u'ap-east-1', u'ap-northeast-1', u'ap-northeast-2', u'ap-south-1', u'ap-southeast-1', u'ap-southeast-2', u'ca-central-1', u'eu-central-1', u'eu-north-1', u'eu-west-1', u'eu-west-2', u'eu-west-3', u'sa-east-1', u'us-east-1', u'us-east-2', u'us-west-1', u'us-west-2']
Assumed session for <ID>.
An error occurred (UnrecognizedClientException) when calling the EnableSecurityHub operation: The security token included in the request is invalid
Error: Unable to enable Security Hub on Master account in region ap-east-1

from aws-securityhub-multiaccount-scripts.

Actually sorry, I now see the problem - its not your permissions but rather the inclusion of ap-east-1 (HKG) where if the region is not enabled the STS credentials are not valid. I will put together a fix for this but in the meantime you can use the --enabled_regions [list out the regions above, minus ap-east-1] to get around this condition

from aws-securityhub-multiaccount-scripts.

Thats weird. Now, I'm getting below error:

#./enablesecurityhub.py --master_account <ID>--assume_role ManageSecurityHub --enabled_regions
['ap-northeast-1','ap-northeast-2','ap-south-1','ap-southeast-1','ap-southeast-2','ca-central-1','eu-central-1','eu-north-1','eu-west-1','eu-west-2','eu-west-3','s
a-east-1','us-east-1','us-east-2','us-west-1','us-west-2'] input.csv
Enabling members in these regions: ['[ap-northeast-1', 'ap-northeast-2', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-central-1', 'eu-north-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'sa-east-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2]']
Assumed session for <ID>.
Traceback (most recent call last):
File "./enablesecurityhub.py", line 257, in
master_clients[aws_region] = master_session.client('securityhub', region_name=aws_region)
File "/usr/lib/python2.7/site-packages/boto3/session.py", line 263, in client
aws_session_token=aws_session_token, config=config)
File "/usr/lib/python2.7/site-packages/botocore/session.py", line 839, in create_client
client_config=config, api_version=api_version)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 86, in create_client
verify, credentials, scoped_config, client_config, endpoint_bridge)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 328, in _get_client_args
verify, credentials, scoped_config, client_config, endpoint_bridge)
File "/usr/lib/python2.7/site-packages/botocore/args.py", line 85, in get_client_args
client_cert=new_config.client_cert)
File "/usr/lib/python2.7/site-packages/botocore/endpoint.py", line 259, in create_endpoint
if not is_valid_endpoint_url(endpoint_url):
File "/usr/lib/python2.7/site-packages/botocore/utils.py", line 842, in is_valid_endpoint_url
parts = urlsplit(endpoint_url)
File "/usr/lib64/python2.7/urlparse.py", line 233, in urlsplit
raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

from aws-securityhub-multiaccount-scripts.

That was my bad! It worked !! :) Thank you for all your help and awesome script! I will keep an eye for new updates to it.

from aws-securityhub-multiaccount-scripts.