Closed mrxpl0it closed 5 years ago
I wanted to provide an update on this. I believe there are issues with the instructions for this.
The CloudFormation template creates an execution role (ManageSecurityHub) and an instance profile and role. You cannot attach the ManageSecurityHub to the instance because you cannot attach a role directly to an instance but rather can only attach an instance profile. The instance profile, EnableSecurityHub, should only be used in the master account and allows the instance with that profile to assume the execution role. The issue you had is that you attempted to use the role used in the instance profile (EnableSecurityHub) rather than the execution role (ManageSecurityHub) in the command.
I ran the EnableSecurityHub CFT in a member account and the master account. I spun up and EC2 and assigned it the EnableSecurityHub Profile and ran the python script and got the below errors.
./enablesecurityhub.py accounts.csv --master_account 1234567891011 --assume_role EnableSecurityHub Enabling members in all available SecurityHub regions [u'ap-northeast-1', u'ap-northeast-2', u'ap-south-1', u'ap-southeast-1', u'ap-southeast-2', u'ca-central-1', u'eu-central-1', u'eu-west-1', u'eu-west-2', u'eu-west-3', u'sa-east-1', u'us-east-1', u'us-east-2', u'us-west-1', u'us-west-2'] Traceback (most recent call last): File "./enablesecurityhub.py", line 252, in
master_session = assume_role(args.master_account, args.assume_role)
File "./enablesecurityhub.py", line 52, in assume_role
RoleSessionName='EnableSecurityHub'
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
both accounts have the same IAM config for the role. Not sure why it appears there is an access denied issue.