allow security hub disable controls to run without role (#39)

README.md

@@ -118,7 +118,7 @@ turf aws \
   --delete
 ```
 
-You can also run using the current AWS credentials (rather than assume a role):
+You can also run using the current AWS credentials (rather than assuming a role):
 
 ```sh
 turf aws \
@@ -166,6 +166,25 @@ turf aws \
   --cloud-trail-account
 ```
 
+You can also run using the current AWS credentials (rather than assuming a role):
+
+  ```sh
+  turf aws \
+    securityhub \
+    disable-global-controls \
+    --privileged \
+    --global-collector-region us-west-2
+  ```
+
+  ```sh
+  turf aws \
+    securityhub \
+    disable-global-controls \
+    --privileged \
+    --global-collector-region us-west-2 \ 
+    --cloud-trail-account
+  ```
+
 ### Deploy GuardDuty to AWS Organization
 When you use GuardDuty with an AWS Organizations organization, you can designate any account within the organization 
 to be the GuardDuty delegated administrator. Only the organization management account can designate GuardDuty 

README.yaml

@@ -96,7 +96,7 @@ examples: |-
     --delete
   ```
 
-  You can also run using the current AWS credentials (rather than assume a role):
+  You can also run using the current AWS credentials (rather than assuming a role):
 
   ```sh
   turf aws \
@@ -144,6 +144,25 @@ examples: |-
     --cloud-trail-account
   ```
 
+  You can also run using the current AWS credentials (rather than assuming a role):
+
+    ```sh
+    turf aws \
+      securityhub \
+      disable-global-controls \
+      --privileged \
+      --global-collector-region us-west-2
+    ```
+
+    ```sh
+    turf aws \
+      securityhub \
+      disable-global-controls \
+      --privileged \
+      --global-collector-region us-west-2 \ 
+      --cloud-trail-account
+    ```
+
   ### Deploy GuardDuty to AWS Organization
   When you use GuardDuty with an AWS Organizations organization, you can designate any account within the organization 
   to be the GuardDuty delegated administrator. Only the organization management account can designate GuardDuty 

aws/securityhub.go

@@ -17,6 +17,7 @@ limitations under the License.
 package aws
 
 import (
+	"errors"
 	"fmt"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -171,7 +172,14 @@ func getCIS120Controls(isGlobalCollectionRegion bool, isCloudTrailAccount bool)
 	return controls
 }
 
-func getSecurityHubClient(region string, role string) *securityhub.SecurityHub {
+func getSecurityHubClient(region string) *securityhub.SecurityHub {
+	sess := GetSession()
+	securityHubClient := securityhub.New(sess, &aws.Config{Region: &region})
+
+	return securityHubClient
+}
+
+func getSecurityHubClientWithRole(region string, role string) *securityhub.SecurityHub {
 	sess := GetSession()
 	creds := GetCreds(sess, role)
 	securityHubClient := securityhub.New(sess, &aws.Config{Credentials: creds, Region: &region})
@@ -217,8 +225,8 @@ func EnableSecurityHubAdministratorAccount(region string, administratorAccountRo
 		currentRegion := enabledRegions[r]
 		logrus.Infof("  Processing region %s", currentRegion)
 
-		managementAccountClient := getSecurityHubClient(currentRegion, rootRole)
-		adminAccountClient := getSecurityHubClient(currentRegion, administratorAccountRole)
+		managementAccountClient := getSecurityHubClientWithRole(currentRegion, rootRole)
+		adminAccountClient := getSecurityHubClientWithRole(currentRegion, administratorAccountRole)
 
 		hub := SecurityHub{
 			adminAccountClient:      adminAccountClient,
@@ -255,7 +263,11 @@ func validateRegion(enabledRegions []string, region string) bool {
 //
 // https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html
 // https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-to-disable.html
-func DisableSecurityHubGlobalResourceControls(globalCollectionRegion string, role string, isCloudTrailAccount bool) error {
+func DisableSecurityHubGlobalResourceControls(globalCollectionRegion string, role string, isPrivileged bool, isCloudTrailAccount bool) error {
+	if role == "" && !isPrivileged {
+		return errors.New("Either role must be provided or the privileged flag must be set")
+	}
+
 	session := GetSession()
 	accountID := GetAccountID(session, role)
 	enabledRegions := GetEnabledRegions("us-east-1", role, false)
@@ -269,7 +281,13 @@ func DisableSecurityHubGlobalResourceControls(globalCollectionRegion string, rol
 	for r := range enabledRegions {
 		currentRegion := enabledRegions[r]
 
-		currentAccountClient := getSecurityHubClient(currentRegion, role)
+		var currentAccountClient *securityhub.SecurityHub
+
+		if isPrivileged {
+			currentAccountClient = getSecurityHubClientWithRole(currentRegion, role)
+		} else {
+			currentAccountClient = getSecurityHubClient(currentRegion)
+		}
 
 		hub := SecurityHub{
 			currentAccountClient: currentAccountClient,

cmd/aws.go

@@ -24,8 +24,9 @@ var region string
 var profile string
 var role string
 
-// These flags are used in the GuardDuty and Security Hub sub-commands
+// These flags are used in the AWS sub-commands
 const roleFlag string = "role"
+const isPrivilegedFlag string = "privileged"
 const adminAccountRoleFlag string = "administrator-account-role"
 const rootRoleFlag string = "root-role"
 

cmd/aws_delete_default_vpcs.go

@@ -26,7 +26,7 @@ var shouldDelete bool
 var isPrivileged bool
 
 const shouldDeleteFlag string = "delete"
-const isPrivilegedFlag string = "privileged"
+
 
 var deleteDefaultVPCsCmd = &cobra.Command{
 	Use:   "delete-default-vpcs",

cmd/aws_securityhub_disablecontrol.go

@@ -40,16 +40,16 @@ var securityHubDisableGlobalControlsCmd = &cobra.Command{
 	https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html
 	`,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return aws.DisableSecurityHubGlobalResourceControls(globalCollectionRegion, role, isCloudTrailAccount)
+		return aws.DisableSecurityHubGlobalResourceControls(globalCollectionRegion, role, isPrivileged, isCloudTrailAccount)
 	},
 }
 
 func init() {
 	securityHubDisableGlobalControlsCmd.Flags().StringVarP(&globalCollectionRegion, globalCollectionRegionFlag, "g", region, "The AWS Region that contains the global resource collector")
 	securityHubDisableGlobalControlsCmd.Flags().StringVar(&role, roleFlag, "", "The ARN of a role to assume")
+	securityHubDisableGlobalControlsCmd.Flags().BoolVarP(&isPrivileged, isPrivilegedFlag, "", false, "Flag to indicate if the session already has rights to perform the actions in AWS")
 	securityHubDisableGlobalControlsCmd.Flags().BoolVar(&isCloudTrailAccount, cloudTrailAccountFlag, false, "A flag to indicate if this account is the central CloudTrail account")
 
-	securityHubDisableGlobalControlsCmd.MarkFlagRequired(roleFlag)
 	securityHubDisableGlobalControlsCmd.MarkFlagRequired(globalCollectionRegionFlag)
 
 	securityhubCmd.AddCommand(securityHubDisableGlobalControlsCmd)