aws-secure-environment-accelerator icon indicating copy to clipboard operation
aws-secure-environment-accelerator copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

[ENHANCEMENT] Add AWS Security Hub integration with AWS Organizations

Open joeldesaulniers opened this issue 4 years ago • 4 comments

  • Accelerator Version: (eg. v1.2.3)
  • Install Type: (Upgrade)
  • Install Branch: (Standalone)
  • Upgraded from version: (v1.2.2)

This feature is to simplify the ASEA's codebase and reduce technical complexity by integrating Security Hub with the organization (just announced, more info at https://aws.amazon.com/about-aws/whats-new/2020/11/aws-security-hub-integrates-with-aws-organizations-for-simplified-security-posture-management/).

Implementation:

  1. Designate a Security Hub administrator account (this API call is done in the organization root account across all regions): AWS CLI: aws securityhub enable-organization-admin-account --admin-account-id <security account ID>

  2. Automatically enable new organization accounts for Security Hub (this API call is done in the security account across all regions): AWS CLI: aws securityhub update-organization-configuration --auto-enable

  3. Ensure that ALL accounts in the organization are enabled as Security Hub member accounts (this API call is done in the security account across all regions): AWS CLI: aws securityhub create-members --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'

Verification: The "describe-organization-configuration" AWS CLI command can be performed in the security account to confirm that AutoEnable is to "True". Also, the "aws securityhub list-members --no-only-associated" AWS CLI command can be performed in the security account to confirm that all of the organization's accounts have MemberStatus set to "Enabled".

joeldesaulniers avatar Nov 26 '20 21:11 joeldesaulniers

While possible today, making this enhancement will prevent #497 from being implemented. Will need to do a more detailed requirements analysis before making this enhancement. In fact, believe this is against what customers want/need based on today's security hub featureset.

Brian969 avatar Jan 27 '21 11:01 Brian969

As Security Hub has a robust roadmap - suggest NOT altering this codebase in the next 6 months and waiting to see how Security Hub team enhancements improve functionality in this area.

Brian969 avatar Jun 11 '21 04:06 Brian969

Hello, is this feature being considered for a release?

alex-talkshoplive avatar Aug 17 '22 20:08 alex-talkshoplive

Whether Org enabled or ASEA enabled - we are still enabling SH in all accounts in the Org. We've had numerous requests to allow control customization per OU, which can only be implemented if we stay with individually enabled accounts, so we are not planning on this feature at this time.

Brian969 avatar Aug 17 '22 20:08 Brian969

ASEA not working on new features see README.

archikierstead avatar Nov 30 '23 15:11 archikierstead