Combine AWS Control Tower and AWS Security Hu

awslabs / aws-securityhub-multiaccount-scripts

This script automates the process of running the Security Hub multi-account workflow across a group of accounts that are in your control

MIT No Attribution

271 stars 108 forks source link

Combine AWS Control Tower and AWS Security Hu #25

Closed JunaidGH closed 4 years ago

JunaidGH commented 4 years ago

Hi,

Thanks for uploading the script.

I am trying to implement you scripts into our AWS Control Tower setup, which has the following accounts - Master, Audit and Log. I was wondering if it is possible to get the script to work with having the Audit account as being the primary account, rather than Master Account.
I am trying to combine AWS Control Tower & AWS Security Hub and use the Audit account as the Security account for AWS Cloutrail, Config, GuardDuty etc...

Thanks

ryanholland commented 4 years ago

The Security Hub Master can be any account within the organization and does not have to be the Organization Master, the Security Hub Master/Member only pertains to the Security Hub service. So in the command line provide the account number of your Audit account as the master to have it be your Security Hub Master.

JunaidGH commented 4 years ago

Thanks Ryan, i tried that, but originally this was not working and i assumed i was doing something wrong in the script/CLI. It transpired, it was ControlTower GuardRails which was blocking the permission to create the resources.

Thanks

phancox commented 4 years ago

@JunaidGH would you mind sharing which of the guard rails was causing the problem.