Skip to content

BrunoCarrier/aws-control-tower-securityhub-enabler

 
 

Repository files navigation

Centralize SecurityHub

Installing this Customization will enable Security Hub in all Control Tower managed accounts, with the Audit account acting as the default Security Hub Master.

This is done by deploying a SecurityHub Enabler lambda function in the master account. It runs periodically and checks each Control Tower managed account/region to ensure that they have been invited into the master SecurityHub account and that SecurityHub is enabled. It is also triggered by Control Tower Lifecycle events to ensure there is minimal delay between new accounts being created and Security Hub being enabled in them.

Logical Flow

Attributions

The original code for automating SecurityHub enablement in AWS accounts is present here. This has been extended to work with Control Tower.

The cfnResponse module has recently been impacted by removal of the vendored version of requests from botocore, so the send function has been directly imported from here.

Instructions

  1. Run src/package.sh to package the code and dependencies

  2. Upload the src/securityhub_enabler.zip file to an S3 bucket, note the bucket name

  3. Gather other information for deployment parameters:

    • In AWS Organizations, look on the Settings page for the Organization ID. It will be o-xxxxxxxxxx
    • In AWS Organizations, look on the Accounts page for the Audit account ID.
  4. Launch the CloudFormation stack using the aws-control-tower-securityhub-enabler.template file as the source.

About

No description, website, or topics provided.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 95.2%
  • PowerShell 2.8%
  • Shell 2.0%