AWS Security Hub - Central configuration

aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/app.py

@@ -217,6 +217,7 @@ def process_add_update_event(params: dict) -> str:
         params["REGION_LINKING_MODE"],
         params["HOME_REGION"],
         params["AWS_PARTITION"],
+        params["ROOT_ID"],
         get_standards_dictionary(params),
     )
     # Configure Security Hub in the Delegated Admin Account
@@ -318,6 +319,9 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
     params.update(
         parameter_pattern_validator("SECURITY_BEST_PRACTICES_VERSION", os.environ.get("SECURITY_BEST_PRACTICES_VERSION"), pattern=version_pattern)
     )
+    params.update(
+        parameter_pattern_validator("ROOT_ID", os.environ.get("ROOT_ID"), pattern=r"^r-[a-z0-9]{0,32}$")
+    )
 
     # Optional Parameters
     params.update(parameter_pattern_validator("ENABLED_REGIONS", os.environ.get("ENABLED_REGIONS"), pattern=r"^$|[a-z0-9-, ]+$", is_optional=True))

aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py

@@ -285,6 +285,7 @@ def configure_delegated_admin_securityhub(
     region_linking_mode: str,
     home_region: str,
     aws_partition: str,
+    root_id: str,
     standards_user_input: dict,
 ) -> None:
     """Configure delegated admin security hub.
@@ -333,13 +334,6 @@ def configure_delegated_admin_securityhub(
         LOGGER.info(api_call_details)
         LOGGER.info(f"SecurityHub default standards disabled in {region}")
 
-        update_organization_configuration_response = securityhub_delegated_admin_region_client.update_organization_configuration(
-            AutoEnable=True, AutoEnableStandards="NONE"
-        )
-        api_call_details = {"API_Call": "securityhub:UpdateOrganizationConfiguration", "API_Response": update_organization_configuration_response}
-        LOGGER.info(api_call_details)
-        LOGGER.info(f"SecurityHub organization configuration updated in {region}")
-
         update_security_hub_configuration_response = securityhub_delegated_admin_region_client.update_security_hub_configuration(
             AutoEnableControls=True
         )
@@ -352,6 +346,35 @@ def configure_delegated_admin_securityhub(
     securityhub_delegated_admin_client: SecurityHubClient = delegated_admin_session.client("securityhub", config=BOTO3_CONFIG)
     create_finding_aggregator(securityhub_delegated_admin_client, region_linking_mode, regions, home_region)
 
+    update_organization_configuration_response = securityhub_delegated_admin_client.update_organization_configuration(
+        AutoEnable=False, OrganizationConfiguration={"ConfigurationType": "CENTRAL"},
+    )
+    api_call_details = {"API_Call": "securityhub:UpdateOrganizationConfiguration", "API_Response": update_organization_configuration_response}
+    LOGGER.info(api_call_details)
+    LOGGER.info("SecurityHub organization configuration updated")
+
+    create_configuration_policy_response = securityhub_delegated_admin_client.create_configuration_policy(
+        Name="OrgWideSecurityHubPolicy", Description="Organization wide SecurityHub Configuration Policy", ConfigurationPolicy={"SecurityHub": {"ServiceEnabled": True, "EnabledStandardIdentifiers": [f"arn:aws:securityhub:{home_region}::standards/aws-foundational-security-best-practices/v/1.0.0"], "SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": []}}}
+    )
+
+    api_call_details = {
+        "API_Call": "securityhub:CreateConfigurationPolicy",
+        "API_Response": create_configuration_policy_response,
+    }
+    LOGGER.info(api_call_details)
+    LOGGER.info("SecurityHub organization configuration policy association started")
+
+    start_configuration_policy_association_response = securityhub_delegated_admin_client.start_configuration_policy_association(
+        ConfigurationPolicyIdentifier=create_configuration_policy_response["Id"], Target={"RootId": root_id}
+    )
+
+    api_call_details = {
+        "API_Call": "securityhub:StartConfigurationPolicyAssociation",
+        "API_Response": start_configuration_policy_association_response,
+    }
+    LOGGER.info(api_call_details)
+    LOGGER.info("SecurityHub organization configuration policy association started")
+
 
 def configure_member_account(account_id: str, configuration_role_name: str, regions: list, standards_user_input: dict, aws_partition: str) -> None:
     """Configure Member Account.

aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration-role.yaml

@@ -67,9 +67,6 @@ Parameters:
     Description: The SRA solution name. The default value is the folder name of the solution
     Type: String
 
-Conditions:
-  cDelegatedAdminAccount: !Equals [!Ref pDelegatedAdminAccountId, !Ref 'AWS::AccountId']
-
 Resources:
   rConfigurationRole:
     Type: AWS::IAM::Role
@@ -95,6 +92,8 @@ Resources:
               AWS:
                 - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:root
       Path: '/'
+      ManagedPolicyArns:
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSSecurityHubOrganizationsAccess
       Policies:
         - PolicyName: sra-securityhub-org-policy-organizations
           PolicyDocument:
@@ -160,20 +159,21 @@ Resources:
                   - !Sub arn:${AWS::Partition}:securityhub:*:${AWS::AccountId}:finding-aggregator/*
                   - !Sub arn:${AWS::Partition}:securityhub:*:${AWS::AccountId}:/findingAggregator/*
 
-              - !If
-                - cDelegatedAdminAccount
-                - Sid: SecurityHubDelegatedAdminActions
-                  Effect: Allow
-                  Action:
-                    - securityhub:CreateMembers
-                    - securityhub:DeleteMembers
-                    - securityhub:GetMembers
-                    - securityhub:UpdateOrganizationConfiguration
-                    - securityhub:BatchDisableStandards
-                  Resource:
-                    - !Sub arn:${AWS::Partition}:securityhub:*:${AWS::AccountId}:hub/default
-                    - !Sub arn:${AWS::Partition}:securityhub:*:${AWS::AccountId}:/accounts
-                - !Ref AWS::NoValue
+              - Sid: SecurityHubDelegatedAdminActions
+                Effect: Allow
+                Action:
+                  - securityhub:CreateMembers
+                  - securityhub:DeleteMembers
+                  - securityhub:GetMembers
+                  - securityhub:UpdateOrganizationConfiguration
+                  - securityhub:DescribeOrganizationConfiguration
+                  - securityhub:CreateConfigurationPolicy
+                  - securityhub:StartConfigurationPolicyAssociation
+                  - securityhub:BatchDisableStandards
+                Resource:
+                  - !Sub arn:${AWS::Partition}:securityhub:*:${AWS::AccountId}:hub/default
+                  - !Sub arn:${AWS::Partition}:securityhub:*:${AWS::AccountId}:/accounts
+
 
         - PolicyName: sra-securityhub-org-policy-iam
           PolicyDocument:

aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml

@@ -541,6 +541,7 @@ Resources:
           REGION_LINKING_MODE: !Ref pRegionLinkingMode
           SECURITY_BEST_PRACTICES_VERSION: !Ref pSecurityBestPracticesStandardVersion
           SNS_TOPIC_ARN: !Ref rSecurityHubOrgTopic
+          ROOT_ID: !Ref pRootOrganizationalUnitId
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName

aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml

@@ -342,6 +342,7 @@ Resources:
         pRegionLinkingMode: !Ref pRegionLinkingMode
         pSRAAlarmEmail: !Ref pSRAAlarmEmail
         pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName
+        pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName