Closed jamesarosen closed 5 months ago
Hello @jamesarosen
Thank you for your feedback. I appreciate you taking the time to write your feedback and suggestions :-).
Using this script, it is assumed you have met the prerequisites in the Amazon Inspector2 official documentation. How much of that document do I need to follow? I clicked on "multi-account environment" in that document and the first step takes me to this repo. I seem to be caught in a loop.
Please read in the document the section Before you begin on that page.
2.1.1. [RECOMMENDED] Using AWS CloudShell Why is this recommended? Is it because it has all the dependencies installed?
Yes, most of the dependencies are already installed such as jq, bash. But since there are no guarantee which one will still be there tomorrow, the dependencies are listed.
WARNING: When using AWS CLI, you must set a default region in your ~/.aws/config. I was unable to modify ~/.aws/config in AWS CloudShell. I'm guessing that CloudShell automatically sets the region based on where it was launched, but I'm not certain.
Good point. I have corrected the text.
jq is used in the script, so please install jq. CloudShell users can skip this step.
Yes, they can. But since there is no guarantee of the future package in CloudShell, users can just check if jq
is installed or no.
AWS Organizations is mandatory Does this mean that the AWS organization must have sub-organizations? Or that this is a require parameter to the script?
I am afraid I don't know what you mean by sub-organizations. One AWS Organization can have multiple accounts, but one account can belong to only one organization. There to organize the AWS accounts, Organization Unit (OU) can be used, but there are just a logical structure. All the parameters required in the script are listed.
From the Organization management account, designate a Delegated Admininistrator for Amazon Inspector2. "Admininistrator" should be "Administrator."
Thank you, it is corrected. :-)
inspector2_da.id: AWS Account id you want to designate as Delegated Admin for Amazon Inspector2 Assuming I don't have a reason to pick one or another, what should I pick? Should I create a sub-organization just for this purpose? Or should I use one that has the services I want to scan?
The best practice is to use the security account, assuming that you have one specific AWS account that is dedicated to security activities. If you have already deployed other AWS security services such Amazon GuardDuty or Amazon Security Hub, the recommendation is to use one AWS account as delegated administrator for all those AWS Security services.
Or should I use one that has the services I want to scan?
This script is for enabling Amazon Inspector across an AWS Organization for multiple accounts and multiple regions. If you want to enable Amazon Inspector on only one or two accounts in a single, you might not need this script.
Management Organization Account This is title-cased, but it doesn't appear in the AWS docs anywhere. Is is the same as the root organization? Or is it a user account or service account within that organization?
Yes, it is the AWS account at the root of AWS Organization. I have made correction to present it as in the documentation organization management account.
$ ./inspector2_enablement_with_awscli.sh -a activate -t members [-s all]
Unknown parameter passed: [-s
Any idea why?
$ ./inspector2_enablement_with_awscli.sh -a activate -t members [-s all] Unknown parameter passed: [-s
Any idea why?
Hello @velvetpixel
Please remove the [] and try again.
[-s all] indicate that it is optional to add "-s" option. The scan type is specified by -s ec2|ecr|lambda|lambdaCode|all
. This is optional, when not specified, then all scans type will be enabled
You want to run ./inspector2_enablement_with_awscli.sh -a activate -t members -s all
Regards
I'm trying to follow the README and I've gotten stuck at a few places. I have a few questions and suggestions.
How much of that document do I need to follow? I clicked on "multi-account environment" in that document and the first step takes me to this repo. I seem to be caught in a loop.
Why is this recommended? Is it because it has all the dependencies installed?
I was unable to modify
~/.aws/config
in AWS CloudShell. I'm guessing that CloudShell automatically sets the region based on where it was launched, but I'm not certain.CloudShell users can skip this step.
Does this mean that the AWS organization must have sub-organizations? Or that this is a require parameter to the script?
"Admininistrator" should be "Administrator."
Assuming I don't have a reason to pick one or another, what should I pick? Should I create a sub-organization just for this purpose? Or should I use one that has the services I want to scan?
This is title-cased, but it doesn't appear in the AWS docs anywhere. Is is the same as the root organization? Or is it a user account or service account within that organization?