Comments (5)
ryanholland
commented on August 10, 2024
Max,
The organization APIs are protected and can only be made within the Organization Administrator account or a delegated administrator account so it is not something we will add to this script. That said we are aware of the need to have support for Organizations within Security Hub similar to other services.
from aws-securityhub-multiaccount-scripts.
rdkls
commented on August 10, 2024
But @ryanholland I think normally the user enabling/configuring Security Hub is going to be quite privileged yeah? And no prob with giving the user read perms on the org ..
from aws-securityhub-multiaccount-scripts.
max-allan-surevine
commented on August 10, 2024
The AWS built in "SecurityAudit" policy (likely the sort of policy applied to a role that will be using Security Hub) has permission "organizations:List*", "organizations:Describe*", so I don't really see a big issue enabling useful features because of a fear of protected APIs.
If I'm trying to enable SH across multiple accounts, I probably already am in the master account for the organization, have delegated permissions or know how to set it up so that I do.
It is simply a shorthand to having to write a separate script to extract all the email addresses and account IDs. The person running the script would have to do that anyway, so already has the permission required. The exact point of applications and helper scripts is so people don't have to do all their tasks individually one at a time. You've gone half way, why not finish the journey?
from aws-securityhub-multiaccount-scripts.
ryanholland
commented on August 10, 2024
Its not a matter of having those permissions, you can assign them to any user, but they won't actually work unless you are making the call from a user/role within Organization Root account.
from aws-securityhub-multiaccount-scripts.
max-allan-surevine
commented on August 10, 2024
I can't imagine a scenario where the Security Auditor wouldn't be able to audit the Org Root account as well as the sub accounts when you're wanting to enable Security Hub on ALL accounts in the organisation...
Maybe really big orgs would have a master org account and not want to enable security hub everywhere, but then they wouldn't be using the "--all" option.
I can only repeat myself : The exact point of applications and helper scripts is so people don't have to do all their tasks individually one at a time. You've gone half way, why not finish the journey?
from aws-securityhub-multiaccount-scripts.
Related Issues (20)
- AccessDenied when calling the AssumeRole operation
- InvalidInputException HOT 2
- Invalid length for parameter StandardsSubscriptionRequests HOT 2
- AWS Foundational Security Best Practices controls HOT 2
- Error with not-opted-in regions with unspecified --enabled_regions
- Unable to run locally
- Will script support setting up master accounts only for now?
- Error Processing Account HOT 4
- It fails with incorrect error for each region not already enabled HOT 16
- CSV example needed HOT 1
- AWS Config not enabled and SNS topics creation
- sts:AssumeRole fails for sso user and iam account user HOT 2
- Fails and leaves the accounts in a broken state...
- Doesn't notice failures due to not waiting for config to enable
- Should this work in GovCloud?
- Getting timeout error after assuming role in check_config() part HOT 1
- AWS Foundational Security Best Practices v1.0.0 getting enabled by default HOT 3
- Disable Security Hub on a particular region
- Error: The state/task 'UpdateMembers' returned a result with a size exceeding the maximum number of bytes service limit. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-securityhub-multiaccount-scripts.