search

awslabs / aws-securityhub-multiaccount-scripts

This script automates the process of running the Security Hub multi-account workflow across a group of accounts that are in your control
MIT No Attribution
271 stars 108 forks source link

Assume #14

Closed mrxpl0it closed 5 years ago

mrxpl0it commented 5 years ago

I ran the EnableSecurityHub CFT in a member account and the master account. I spun up and EC2 and assigned it the EnableSecurityHub Profile and ran the python script and got the below errors.

./enablesecurityhub.py accounts.csv --master_account 1234567891011 --assume_role EnableSecurityHub Enabling members in all available SecurityHub regions [u'ap-northeast-1', u'ap-northeast-2', u'ap-south-1', u'ap-southeast-1', u'ap-southeast-2', u'ca-central-1', u'eu-central-1', u'eu-west-1', u'eu-west-2', u'eu-west-3', u'sa-east-1', u'us-east-1', u'us-east-2', u'us-west-1', u'us-west-2'] Traceback (most recent call last): File "./enablesecurityhub.py", line 252, in master_session = assume_role(args.master_account, args.assume_role) File "./enablesecurityhub.py", line 52, in assume_role RoleSessionName='EnableSecurityHub' File "/usr/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

both accounts have the same IAM config for the role. Not sure why it appears there is an access denied issue.

mrxpl0it commented 5 years ago

I wanted to provide an update on this. I believe there are issues with the instructions for this.

1 you need to change the assume role the ec2 instance it supposed to use. I used the EnableSecurityHub.yaml, and as written, it doesn't work. The ec2 needs to assume the role "ManageSecurityHub" not the role "EnableSecurityHub". The way the CFT is built, you need to call the role you are assuming not the role the instance profile has.

2 If you intend on using this for multiple accounts across regions, you have to modify the s3 bucket profile to allow the new accounts to write to it if you want to use a centralized s3 bucket.

ryanholland commented 5 years ago

The CloudFormation template creates an execution role (ManageSecurityHub) and an instance profile and role. You cannot attach the ManageSecurityHub to the instance because you cannot attach a role directly to an instance but rather can only attach an instance profile. The instance profile, EnableSecurityHub, should only be used in the master account and allows the instance with that profile to assume the execution role. The issue you had is that you attempted to use the role used in the instance profile (EnableSecurityHub) rather than the execution role (ManageSecurityHub) in the command.