Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assume #14

Closed
mrxpl0it opened this issue May 25, 2019 · 2 comments
Closed

Assume #14

mrxpl0it opened this issue May 25, 2019 · 2 comments

Comments

@mrxpl0it
Copy link

I ran the EnableSecurityHub CFT in a member account and the master account. I spun up and EC2 and assigned it the EnableSecurityHub Profile and ran the python script and got the below errors.

./enablesecurityhub.py accounts.csv --master_account 1234567891011 --assume_role EnableSecurityHub
Enabling members in all available SecurityHub regions [u'ap-northeast-1', u'ap-northeast-2', u'ap-south-1', u'ap-southeast-1', u'ap-southeast-2', u'ca-central-1', u'eu-central-1', u'eu-west-1', u'eu-west-2', u'eu-west-3', u'sa-east-1', u'us-east-1', u'us-east-2', u'us-west-1', u'us-west-2']
Traceback (most recent call last):
File "./enablesecurityhub.py", line 252, in
master_session = assume_role(args.master_account, args.assume_role)
File "./enablesecurityhub.py", line 52, in assume_role
RoleSessionName='EnableSecurityHub'
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

both accounts have the same IAM config for the role. Not sure why it appears there is an access denied issue.
@mrxpl0it
Copy link
Author

mrxpl0it commented Jun 4, 2019
edited
Loading

I wanted to provide an update on this. I believe there are issues with the instructions for this.

#1 you need to change the assume role the ec2 instance it supposed to use. I used the EnableSecurityHub.yaml, and as written, it doesn't work. The ec2 needs to assume the role "ManageSecurityHub" not the role "EnableSecurityHub". The way the CFT is built, you need to call the role you are assuming not the role the instance profile has.

#2 If you intend on using this for multiple accounts across regions, you have to modify the s3 bucket profile to allow the new accounts to write to it if you want to use a centralized s3 bucket.

@ryanholland
Copy link
Contributor

The CloudFormation template creates an execution role (ManageSecurityHub) and an instance profile and role. You cannot attach the ManageSecurityHub to the instance because you cannot attach a role directly to an instance but rather can only attach an instance profile. The instance profile, EnableSecurityHub, should only be used in the master account and allows the instance with that profile to assume the execution role. The issue you had is that you attempted to use the role used in the instance profile (EnableSecurityHub) rather than the execution role (ManageSecurityHub) in the command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ryanholland @mrxpl0it