search

awslabs / aws-securityhub-multiaccount-scripts

This script automates the process of running the Security Hub multi-account workflow across a group of accounts that are in your control
MIT No Attribution
271 stars 108 forks source link

Error with not-opted-in regions with unspecified --enabled_regions #42

Open o2346 opened 4 years ago

o2346 commented 4 years ago

Hi team

Following errors show up when --enabled_regions was not specified. It is likely because when target account ships not-opted-in regions but the result of session.get_available_regions('securityhub') includes such ones. (in my case ap-east-1,me-south-1)


        *****************************************************************************************************************************************************************************************
        *      By turning on this Standards you will enable security evaluations to run. For current pricing and example scenarios please refer to the current AWS Security Hub pricing.        *
        *      Important: You must enable AWS Config for all resources in each AWS Region where you will be running a Standard. If Config is not already enabled it will be enabled and         *
        *      configured in each region.                                                                                                                                                       *
        *                                                                                                                                                                                       *
        *      In addition to AWS Security Hub charges, you will also incur charges for the Configuration Items recorded by AWS Config, as per the AWS Config pricing. These charges are        *
        *      separate from (and not included in) AWS Security Hub pricing.                                                                                                                    *
        *****************************************************************************************************************************************************************************************

        Continue?(yes/no):

Enabling members in all available SecurityHub regions ['ap-east-1', 'ap-northeast-1', 'ap-northeast-2', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-central-1', 'eu-north-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'me-south-1', 'sa-east-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']
Enabling the following Security Hub Standards for enabled account(s) and region(s): ['arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0']
Assumed session for 111111111111.
Error: Unable to enable Security Hub on Master account in region {}
Traceback (most recent call last):
  File "./enablesecurityhub.py", line 262, in <module>
    master_clients[aws_region].enable_security_hub()
  File "/usr/local/lib/python3.5/dist-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.5/dist-packages/botocore/client.py", line 626, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the EnableSecurityHub operation: The security token included in the request is invalid

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./enablesecurityhub.py", line 292, in <module>
    print("Error: Unable to enable Security Hub on Master account in region {}").format(aws_region)
AttributeError: 'NoneType' object has no attribute 'format'

Then it exits https://github.com/awslabs/aws-securityhub-multiaccount-scripts/blob/master/enablesecurityhub.py#L292

same error through cli

% aws securityhub enable-security-hub --region ap-east-1

An error occurred (UnrecognizedClientException) when calling the EnableSecurityHub operation: The security token included in the request is invalid

env

% aws --version
aws-cli/1.16.206 Python/3.5.2 Linux/4.10.0-38-generic botocore/1.15.44
% uname -a
Linux xxxx-desktop 4.10.0-38-generic #42~16.04.1-Ubuntu SMP Tue Oct 10 16:32:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

In order to avoid such error, just exclude not-opted-in regions then it's fine. But it means, I'm being forced to consider which region was which opt-in status and then enumerate approperate ones by myself, on every executions. It's kind of challenging.

I expected 'available regions' does not contain no-opted-in regions on my account. On the other hand, your implementation means 'available regions' differently. It seems to be absent from consideration about opt-in-status on individual accounts. https://github.com/awslabs/aws-securityhub-multiaccount-scripts/blob/master/enablesecurityhub.py#L243

But there is no point to try to enable Security Hub on the regions those have not even been opted in, perhaps for many users. Therefore, It would be really helpful if your implementation was responsible to handle that consideration by default.

In the meantime, I wrote small script shown below to enumerate the regions exactly I want. https://gist.github.com/o2346/e0fa3eeb8c67ff51660c354ee3cabdba#file-get_securityhub_regions_optedin-py Is it possible to implement feature like this on your side? (Or to update to coninue for following regions in the for-loop to be processed, even if not-opted-in region was given, instead of aborting.)

Thanks