search

awslabs / aws-securityhub-multiaccount-scripts

This script automates the process of running the Security Hub multi-account workflow across a group of accounts that are in your control
MIT No Attribution
271 stars 109 forks source link

InvalidInputException #34

Closed martinklie closed 4 years ago

martinklie commented 4 years ago

While using the latest script

/home/ssm-user/aws-securityhub-multiaccount-scripts/enablesecurityhub.py --master_account 999999999999 --assume_role tw_guardduty_sechub --enabled_regions us-east-1 --enable_standards arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0,arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1 /home/ssm-user/input.csv

We are getting the below error

Enabling members in these regions: ['us-east-1'] Enabling the following Security Hub Standards for enabled account(s) and region(s): ['arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0', 'arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1'] Assumed session for 999999999999. Assumed session for 333333333333. Beginning 333333333333 in us-east-1 Error Processing Account 333333333333

Failed Accounts

333333333333: InvalidInputException(u'An error occurred (InvalidInputException) when calling the BatchEnableStandards operation: Invalid StandardsSubscriptionRequest(s): [{"StandardsArn":"arn:aws:securityhub:us-east-1::arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1"}]',)

ryanholland commented 4 years ago

Hi, the reason for the error is that for the PCI package the format is different from CIS in that the ARN is built at runtime, the command line should be: /home/ssm-user/aws-securityhub-multiaccount-scripts/enablesecurityhub.py --master_account 999999999999 --assume_role tw_guardduty_sechub --enabled_regions us-east-1 --enable_standards arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0,standards/pci-dss/v/3.2.1 /home/ssm-user/input.csv

martinklie commented 4 years ago

ty