ryanholland
commented
4 years ago Can you include the command line you are using? Ensure that you have the correct role name (ManageSecurityHub) in the command
Closed prachiarora closed 4 years ago
ryanholland
commented
4 years ago Can you include the command line you are using? Ensure that you have the correct role name (ManageSecurityHub) in the command
prachiarora
commented
4 years ago Hi, Yes I am running with the correct rolename , Below is the command :
./enablesecurityhub.py --master_account
prachiarora
commented
4 years ago Complete message : Enabling members in all available SecurityHub regions [u'ap-east-1', u'ap-northeast-1', u'ap-northeast-2', u'ap-south-1', u'ap-southeast-1', u'ap-southeast-2', u'ca-central-1', u'eu-central-1', u'eu-north-1', u'eu-west-1', u'eu-west-2', u'eu-west-3', u'sa-east-1', u'us-east-1', u'us-east-2', u'us-west-1', u'us-west-2'] Assumed session for <_ID_>. An error occurred (UnrecognizedClientException) when calling the EnableSecurityHub operation: The security token included in the request is invalid Error: Unable to enable Security Hub on Master account in region ap-east-1
ryanholland
commented
4 years ago Actually sorry, I now see the problem - its not your permissions but rather the inclusion of ap-east-1 (HKG) where if the region is not enabled the STS credentials are not valid. I will put together a fix for this but in the meantime you can use the --enabled_regions [list out the regions above, minus ap-east-1] to get around this condition
prachiarora
commented
4 years ago Thats weird. Now, I'm getting below error:
['ap-northeast-1','ap-northeast-2','ap-south-1','ap-southeast-1','ap-southeast-2','ca-central-1','eu-central-1','eu-north-1','eu-west-1','eu-west-2','eu-west-3','s
a-east-1','us-east-1','us-east-2','us-west-1','us-west-2'] input.csv
Enabling members in these regions: ['[ap-northeast-1', 'ap-northeast-2', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-central-1', 'eu-north-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'sa-east-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2]']
Assumed session for <_ID_>.
Traceback (most recent call last):
File "./enablesecurityhub.py", line 257, in
ryanholland
commented
4 years ago enabled_regions takes a comma separated string of regions, ie: us-east-1,us-east-2,us-west-1... so remove the 's and [] from your command line
prachiarora
commented
4 years ago That was my bad! It worked !! :) Thank you for all your help and awesome script! I will keep an eye for new updates to it.
Hi, I am trying to run the code to setup SecurityGuard for our environment. I ran it locally as well as via EC2 instance it failed with the access issue both times. below is the error message that I received after adding a print statement in exception block: "An error occurred (UnrecognizedClientException) when calling the EnableSecurityHub operation: The security token included in the request is invalid Error: Unable to enable Security Hub on Master account in region ap-east-1"
The script exits at this point. i am using the provided scripts as is for the most part. And also used the yaml provided for the role configuration.
I tested from aws cli to confirm my credentials, they are fine. I have also assigned the Instance Profile to the EC2 instance.