Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Enable for all accounts in organization #51

Open
max-allan-surevine opened this issue Aug 19, 2020 · 5 comments
Open

Feature: Enable for all accounts in organization #51

max-allan-surevine opened this issue Aug 19, 2020 · 5 comments

Comments

@max-allan-surevine
Copy link

I just want security hub enabled on all my accounts. I suspect a lot of people enabling it would like the same.

It is pretty easy to query the list of accounts from within the script, so add an option like "--all" to enable security hub on all accounts in the organization.
@ryanholland
Copy link
Contributor

Max,
The organization APIs are protected and can only be made within the Organization Administrator account or a delegated administrator account so it is not something we will add to this script. That said we are aware of the need to have support for Organizations within Security Hub similar to other services.

@rdkls
Copy link

rdkls commented Aug 23, 2020

But @ryanholland I think normally the user enabling/configuring Security Hub is going to be quite privileged yeah? And no prob with giving the user read perms on the org ..

@max-allan-surevine
Copy link
Author

max-allan-surevine commented Aug 24, 2020
edited
Loading

The AWS built in "SecurityAudit" policy (likely the sort of policy applied to a role that will be using Security Hub) has permission "organizations:List*", "organizations:Describe*", so I don't really see a big issue enabling useful features because of a fear of protected APIs.
If I'm trying to enable SH across multiple accounts, I probably already am in the master account for the organization, have delegated permissions or know how to set it up so that I do.
It is simply a shorthand to having to write a separate script to extract all the email addresses and account IDs. The person running the script would have to do that anyway, so already has the permission required. The exact point of applications and helper scripts is so people don't have to do all their tasks individually one at a time. You've gone half way, why not finish the journey?

@ryanholland
Copy link
Contributor

Its not a matter of having those permissions, you can assign them to any user, but they won't actually work unless you are making the call from a user/role within Organization Root account.

@max-allan-surevine
Copy link
Author

I can't imagine a scenario where the Security Auditor wouldn't be able to audit the Org Root account as well as the sub accounts when you're wanting to enable Security Hub on ALL accounts in the organisation...
Maybe really big orgs would have a master org account and not want to enable security hub everywhere, but then they wouldn't be using the "--all" option.
I can only repeat myself : The exact point of applications and helper scripts is so people don't have to do all their tasks individually one at a time. You've gone half way, why not finish the journey?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rdkls @ryanholland @max-allan-surevine