Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS: Redefine delegated administrators #4824

Merged
merged 1 commit into from
Feb 22, 2023
Merged

AWS: Redefine delegated administrators #4824

merged 1 commit into from
Feb 22, 2023

Conversation

ameukam
Copy link
Member

@ameukam ameukam commented Feb 22, 2023

Redefine the delegate administrators for some services. According the AWS
SRA we should have:

  • GuardDuty, CloudTrail, Config and Security Hub in the security eng account
  • Identity Center is the infra-shared services account.
  • Storage lens S3 and Access Analyzer in the Audit account.

@ameukam
AWS: Redefine delegate administrators
90d0740 
Redefine the delegate administrators for some services.
According the [AWS
SRA](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html),
we should GuardDuty, CloudTrail, Config and Security Hub in the same
account.
Identity Center is the infra-shared services account.
Storage lens S3 and Access Analyzer in the Audit account.

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. labels Feb 22, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ameukam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 22, 2023
@ameukam
Copy link
Member Author

ameukam commented Feb 22, 2023

cc @deobieta @sftim

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Feb 22, 2023
@sftim
Copy link
Contributor

sftim commented Feb 22, 2023

/retitle AWS: Redefine delegated administrators

@k8s-ci-robot k8s-ci-robot changed the title AWS: Redefine delegate administrators AWS: Redefine delegated administrators Feb 22, 2023
sftim
sftim reviewed Feb 22, 2023
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, makes sense.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 22, 2023
sftim
sftim reviewed Feb 22, 2023
View reviewed changes
infra/aws/terraform/management-account/delegated-admins.tf
Comment on lines 53 to 56
resource "aws_organizations_delegated_administrator" "securityhub" {
account_id = module.security_audit.account_id
account_id = module.security_engineering.account_id
service_principal = "securityhub.amazonaws.com"
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When we want to actually use this, it might be easiest to enable it via the AWS web console, once per region, and then have Security Hub take the responsibility for managing hubs within the organization.

We'd only need to access Security Engineering to do this, and the role we assume only need a few specific permissions.

Copy link
Contributor

@deobieta deobieta Feb 22, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are enrolled in AWS Organizations, the organization management account can designate a Security Hub administrator account in each Region. securityhub-restrictons-recommendations

So if we want to set this through Terraform we'll have to create an AWS provider for each region and repeat "aws_organizations_delegated_administrator" " securityhub" resource for each provider. Correct?

I was looking at this other Terraform resource but I think it also has to be enabled for each region. aws_securityhub_organization_admin_account

Do we know which regions we want to use?

Copy link
Member Author

@ameukam ameukam Feb 22, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sftim Do you mind open an issue about Security Hub ?

Do we know which regions we want to use?

I would say all the regions enabled by default.

@k8s-ci-robot k8s-ci-robot merged commit fdf3bbc into kubernetes:main Feb 22, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.27 milestone Feb 22, 2023
@ameukam
Copy link
Member Author

ameukam commented Feb 22, 2023

Ref: #4654

@sftim sftim mentioned this pull request Nov 17, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deobieta deobieta deobieta left review comments

@sftim sftim sftim left review comments

@dims dims Awaiting requested review from dims

@thockin thockin Awaiting requested review from thockin

Assignees

@sftim sftim

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.27
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ameukam @k8s-ci-robot @sftim @deobieta