search

awslabs / aws-securityhub-multiaccount-scripts

This script automates the process of running the Security Hub multi-account workflow across a group of accounts that are in your control
MIT No Attribution
271 stars 108 forks source link

sts:AssumeRole fails for sso user and iam account user #52

Open andrewhoplife opened 4 years ago

andrewhoplife commented 4 years ago

I am running the command with:

python enablesecurityhub.py --master_account snip --assume_role arn:aws:iam::snip:role/enableSecHub --enabled_regions us-east-1,us-east-2 --enable_standards arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 accounts.csv

Invalid account number Account ID, skipping Enabling members in these regions: ['us-east-1', 'us-east-2'] Enabling the following Security Hub Standards for enabled account(s) and region(s): ['arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0'] Traceback (most recent call last): File "enablesecurityhub.py", line 254, in <module> master_session = assume_role(args.master_account, args.assume_role) File "enablesecurityhub.py", line 53, in assume_role RoleSessionName='EnableSecurityHub' File "/Users/a/Library/Python/2.7/lib/python/site-packages/botocore/client.py", line 316, in _api_call return self._make_api_call(operation_name, kwargs) File "/Users/a/Library/Python/2.7/lib/python/site-packages/botocore/client.py", line 635, in _make_api_call raise error_class(parsed_response, operation_name)botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::snipped is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::snip:role/arn:aws:iam::snip:role/enableSecHub

I have tried creating roles and policies to explicitly allow either user and neither have worked. I have also tried running this locally and from within a ec2 instance inside the master account with associated iam resources.

Expected result is the script to complete successfully with various aws accounts reporting in to the master account.

ryanholland commented 4 years ago

You should not have headers on the file, looks like you have 'Account ID' in the CSV, where it should just start with the account number,email of the first account without any headers

andrewhoplife commented 4 years ago

Thanks for the reply and yes I removed that. The issue remains:

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::snip:user/andrew_temp is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::snip:role/arn:aws:iam::snip:role/enableSecHub

Assume role policy:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GiveAndrewPermissionToBe", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }

Trust Relationship:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::snip:user/andrew_temp" }, "Action": "sts:AssumeRole" } ] }

Policy:

{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringLike": { "iam:AWSServiceName": [ "securityhub.amazonaws.com", "config.amazonaws.com" ] } }, "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow" }, { "Action": "securityhub:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "config:DescribeConfigurationRecorders", "config:DescribeDeliveryChannels", "config:DescribeConfigurationRecorderStatus", "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:PutConfigurationRecorder", "config:PutDeliveryChannel", "config:StartConfigurationRecorder" ], "Resource": "*", "Effect": "Allow" }, { "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", "Effect": "Allow" }, { "Action": [ "s3:CreateBucket", "s3:PutBucketPolicy", "s3:ListBucket" ], "Resource": "arn:aws:s3:::config-bucket-*", "Effect": "Allow" } ] }