search

awslabs / aws-securityhub-multiaccount-scripts

This script automates the process of running the Security Hub multi-account workflow across a group of accounts that are in your control
MIT No Attribution
271 stars 108 forks source link

--assume_role is not work #18

Closed fnifni closed 5 years ago

fnifni commented 5 years ago

Execute enablesecurityhub.py to deny access to the Assume Role.

In the “Option 1: Launch EC2 instance” scenario, the following error is displayed:

Is the wrong way to specify the "--assume_role" option? I specified ARN and role name, but the result was the same.

Error Message

$ python enablesecurityhub.py --master_account xxxxxxxxxxxx --assume_role arn:aws:iam::xxxxxxxxxxxx:role/ManageSecurityHub enable.csv
Enabling members in all available SecurityHub regions [u'ap-northeast-1', u'ap-northeast-2', u'ap-south-1', u'ap-southeast-1', u'ap-southeast-2', u'ca-central-1', u'eu-central-1', u'eu-west-1', u'eu-west-2', u'eu-west-3', u'sa-east-1', u'us-east-1', u'us-east-2', u'us-west-1', u'us-west-2']
Traceback (most recent call last):
  File "enablesecurityhub.py", line 252, in <module>
    master_session = assume_role(args.master_account, args.assume_role)
  File "enablesecurityhub.py", line 52, in assume_role
    RoleSessionName='EnableSecurityHub'
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Environmental information

$ aws --version
aws-cli/1.16.173 Python/2.7.14 Linux/4.14.114-105.126.amzn2.x86_64 botocore/1.12.163

$ curl http://169.254.169.254/latest/meta-data/iam/info
{
  "Code" : "Success",
  "LastUpdated" : "2019-06-07T11:54:32Z",
  "InstanceProfileArn" : "arn:aws:iam::xxxxxxxxxxxx:instance-profile/EnableSecurityHub",
  "InstanceProfileId" : "AIPAX5XYUN4PPWTZRY2JU"
}
ryanholland commented 5 years ago

The --assume_role parameter should be just the role name (ManageSecurityHub) not the ARN. So change to: ython enablesecurityhub.py --master_account xxxxxxxxxxxx --assume_role ManageSecurityHub enable.csv

fnifni commented 5 years ago

It work !

python enablesecurityhub.py --master_account xxxxxxxxxxxx --assume_role ManageSecurityHub enable.csv

thx !