En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Managing SecurityHub across multiple accounts in AWS organization

0

Hi,

In AWS organization using control tower, we are trying to utilize the Security hub, couple of observations is even though we designate a member as Delegated admin account, we are observing limitations like we can't enable/disable a given security standard/control across all member accounts, and can enable/disable the security hub across multiple regions. This could have been very useful feature for customer as they scale in number of aws accounts get created via AFT.

I am looking for guidance if this can be achieved via Infrastructure as code through terraform so that we can automate and scale instead of depending on manual update via scripts each time across n number of accounts and managing the state .

Thanks.

Sujets
Sécurité, identité et conformitéInfrastructure as Code
Balises
Hub de sécurité AWSInfrastructure as Code
Langue
English
mmpkandra
demandé il y a un an1560 vues
4 réponses
3

Here is a blog showing you how to automate enabling a Security Hub standard across your org using CloudFormation StackSets. https://aws.amazon.com/blogs/security/enable-security-hub-pci-dss-standard-across-your-organization-and-disable-specific-controls/

You can create the StackSet with Terraform. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set

profile pictureAWS
Jeremy_S
répondu il y a un an
profile picture
EXPERT
Antonio_Lagrotteria
vérifié il y a un mois
1

This blog will show you how to use CloudFormation StackSets to automate the deployment of a Security Hub standard across your organization. https://aws.amazon.com/blogs/security/enable-security-hub-pci-dss-standard-across-your-organization-and-disable-specific-controls/

profile pictureAWS
Ankit Agrawal
répondu il y a 8 mois
profile picture
EXPERT
Antonio_Lagrotteria
vérifié il y a un mois
  • Yogesh
    il y a 8 mois

    Thanks this is very useful.

0

I don't know about Terraform but you can use CloudFormation StackSets applied to the Organization so stacks are created automatically as accounts are added. You'd still need to take action to add new Regions though.

EXPERT
skinsman
répondu il y a un an
0

We are using this solution https://github.com/aws-samples/aws-security-hub-cross-account-controls-disabler for disabling and enabling the controls for members' accounts. It is working really well

itagsurya
répondu il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents