Monday, June 8, 2020

Inviting AWS SecurityHub Members

Terraform Notes

Security Hub Members

Want to automate inviting members to join the Master account for Security Hub? You can simplify this using AWS Organization.
Because the data call to "aws_organizations_organization" returns a list of map of non_master_accounts, we must first convert this to a map of map.



List of Map                     Map of Map          


 {


    "arn" = ""
    "email" = ""
    "id" = ""
}

 "id" = {


                "arn" = ""
                "email" = ""
                "id" = ""
            }







provider "aws" {
  version = "~> 2.0"
  region  = "us-east-1"
  profile = "master"
}

provider "aws" {
  alias    = "master_east"
  region  = "us-east-1"
  insecure = "true"
  profile = "master"
}

data "aws_organizations_organization" "current" {}
locals {
    all_accounts = {
        for x in data.aws_organizations_organization.current.non_master_accounts: x.id => x
    }  
}
  
resource "aws_securityhub_member" "this" {
    for_each = local.all_accounts
    account_id = each.value["id"]
    email      = each.value["email"]
    invite     = true}
Want to be have another account (not Master of Org) to be the Master of the SecurityHub collection?


provider "aws" {
  version = "~> 2.0"
  region  = "us-east-1"
  profile = "master"
}

provider "aws" {
  alias    = "master_east"
  region  = "us-east-1"
  insecure = "true"
  profile = "master"
}

provider "aws" {
  region   = "us-east-1"
  profile  = "secaudit"
  insecure = "true"
  alias    = "secaudit"
}

##Use the default provider so that we can get ID of ALL Account in the ORG
data "aws_organizations_organization" "master" {}

##Use the SecAudit provider to get the ID of that Account
data "aws_caller_identity" "secaudit" {
    provider  = aws.secaudit

}

##Make a map of all the Account IDs in the Org
locals {
    all_accounts = {
        for x in data.aws_organizations_organization.master.non_master_accounts : x.id => x
    }  
}

##Create invite for SecurityHub Member from SecAudit account to all other Accounts (excluding itself)
resource "aws_securityhub_member" "this" {
    provider  = aws.secaudit
    for_each = {
      for key, value in local.all_accounts:
      key => value
      if key != data.aws_caller_identity.secaudit.account_id
    }
    account_id = each.value["id"]
    email      = each.value["email"]
    invite     = true
}

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AWS WAF log4j query

How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...

  • AWS WAF log4j query
    How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...
  • Terraform Errors
    Terraform Notes Terraform Errors The given key does not identify an element in this collection value. Error: Invalid index on main...
  • AWS Policy Conditions
    AWS Policy Conditions References: Condition Policy Element Condition with Multiple Keys or Values Multiple Conditions Multiple conditions ar...