Feature: Enable for all accounts in organization

[max-allan-surevine]

I just want security hub enabled on all my accounts. I suspect a lot of people enabling it would like the same.

It is pretty easy to query the list of accounts from within the script, so add an option like "--all" to enable security hub on all accounts in the organization.

[ryanholland]

Max, The organization APIs are protected and can only be made within the Organization Administrator account or a delegated administrator account so it is not something we will add to this script. That said we are aware of the need to have support for Organizations within Security Hub similar to other services.

[rdkls]

But @ryanholland I think normally the user enabling/configuring Security Hub is going to be quite privileged yeah? And no prob with giving the user read perms on the org ..

[max-allan-surevine]

The AWS built in "SecurityAudit" policy (likely the sort of policy applied to a role that will be using Security Hub) has permission "organizations:List*", "organizations:Describe*", so I don't really see a big issue enabling useful features because of a fear of protected APIs. If I'm trying to enable SH across multiple accounts, I probably already am in the master account for the organization, have delegated permissions or know how to set it up so that I do. It is simply a shorthand to having to write a separate script to extract all the email addresses and account IDs. The person running the script would have to do that anyway, so already has the permission required. The exact point of applications and helper scripts is so people don't have to do all their tasks individually one at a time. You've gone half way, why not finish the journey?

[ryanholland]

Its not a matter of having those permissions, you can assign them to any user, but they won't actually work unless you are making the call from a user/role within Organization Root account.

[max-allan-surevine]

I can't imagine a scenario where the Security Auditor wouldn't be able to audit the Org Root account as well as the sub accounts when you're wanting to enable Security Hub on ALL accounts in the organisation... Maybe really big orgs would have a master org account and not want to enable security hub everywhere, but then they wouldn't be using the "--all" option. I can only repeat myself : The exact point of applications and helper scripts is so people don't have to do all their tasks individually one at a time. You've gone half way, why not finish the journey?