binbashar · juanmatias · Jun 6, 2024 · May 16, 2024 · May 30, 2024 · May 30, 2024
@@ -151,9 +151,15 @@ data "aws_iam_policy_document" "devops" {
   }
 
   statement {
-    sid = "ConfigOrganizationWide"
+    sid = "OrganizationWide"
     actions = [
-      "organizations:ListDelegatedAdministrators"
+      "organizations:ListDelegatedAdministrators",
+      "organizations:ListAccounts",
+      "organizations:DescribeOrganization",
+      "organizations:ListAWSServiceAccessForOrganization",
+      "organizations:ListRoots",
+      "organizations:ListAccountsForParent",
+      "organizations:ListOrganizationalUnitsForParent"
     ]
     effect    = "Allow"
     resources = ["*"]
@@ -243,4 +249,4 @@ data "aws_iam_policy_document" "data_scientist" {
       ]
     }
   }
-}
+}
@@ -0,0 +1,64 @@
+# AWS Security Hub
+
+Enable [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) with the security standards designated as default:
+- AWS Foundational Security Best Practices v1.0.0
+- CIS AWS Foundations Benchmark v1.2.0
+
+## For Single account
+
+If you are running a single AWS account, use this in such account:
+
+```hcl
+resource "aws_securityhub_account" "default" {
+  enable_default_standards  = true
+  auto_enable_controls      = true
+  control_finding_generator = "SECURITY_CONTROL"
+}
+```
+
+
+## For AWS Organizations
+
+When running Organizations, follow these steps:
+
+1. Delegate the Security Hub management to an account other than `management`.
+
+```hcl
+resource "aws_securityhub_organization_admin_account" "main" {
+  admin_account_id = var.accounts.security.id
+}
+```
+
+2. Then apply [this layer](../../../security/us-east-1/security-hub%20--/) to the chosen account.
+
+Note: It is recommended that the delegated account not be the `management` account. It is advised to use the `security` account as the delegated admin account.
+
+## Full Destroy
+
+If you want to disable Security Hub and you run  `leverage terraform destroy`, you might notice that Security Hub is still active and collecting findings from all accounts within your organization. To fully disable Security Hub, follow these steps:
+
+1- Add the following blocks to your Terraform configuration:
+
+```hcl
+provider "aws" {
+  alias = "security"
+  region  = var.region
+  profile = "${var.project}-security-devops"
+}
+
+resource "aws_securityhub_account" "security" {
+  provider                 = aws.security
+  enable_default_standards = false
+}
+```
+
+(Note this assumes you are using `security` account for Security Hub, change it as per your needs)
+
+2- Import the Security Hub account resource with the following command::
+
+`leverage tf import aws_securityhub_account.security  $SECURITY_ACCOUNT_ID`
+
+3- Finally, destroy the Terraform-managed infrastructure:
+`leverage tf destroy`
+
+For further reading, you can visit https://dev.to/aws-builders/how-to-manage-aws-security-hub-in-aws-organizations-using-terraform-5gl4
@@ -0,0 +1 @@
+../../../config/common-variables.tf
@@ -0,0 +1,24 @@
+#=============================#
+# AWS Provider Settings       #
+#=============================#
+provider "aws" {
+  region  = var.region
+  profile = var.profile
+}
+
+
+#=============================#
+# Backend Config (partial)    #
+#=============================#
+terraform {
+  required_version = "~> 1.2"
+
+  required_providers {
+    aws = "~> 4.10"
+  }
+
+  backend "s3" {
+    key = "root/security-hub/terraform.tfstate"
+  }
+}
+
@@ -0,0 +1,7 @@
+## Security Hub is administered via the Security Account,
+## which is designated as the administrator by the Management Account.
+## Enable the security standards that Security Hub has designated as default:
+## AWS Foundational Security Best Practices v1.0.0 and CIS AWS Foundations Benchmark v1.2.0
+resource "aws_securityhub_organization_admin_account" "main" {
+  admin_account_id = var.accounts.security.id
+}
@@ -0,0 +1,17 @@
+# AWS Security Hub
+
+Enable [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) with the security standards designated as default:
+- AWS Foundational Security Best Practices v1.0.0
+- CIS AWS Foundations Benchmark v1.2.0
+
+This layer is valid for multi-account setups within an AWS Organization.
+
+## For single AWS Account
+
+See [here](../../../management/us-east-1/security-hub%20--/README.md#for-single-account) the note on AWS Single Account.
+
+## For AWS Organizatons
+
+Apply first [this layer](../../../management/us-east-1/security-hub%20--) to delegate Security Hub management.
+
+Then, apply this layer to the delegated account.
@@ -0,0 +1 @@
+../../../config/common-variables.tf
@@ -0,0 +1,24 @@
+#=============================#
+# AWS Provider Settings       #
+#=============================#
+provider "aws" {
+  region  = var.region
+  profile = var.profile
+}
+
+#=============================#
+# Backend Config (partial)    #
+#=============================#
+terraform {
+  required_version = "~> 1.2"
+
+  required_providers {
+    aws = "~> 5.41"
+  }
+
+  backend "s3" {
+    key = "security/security-hub/terraform.tfstate"
+  }
+}
+
+data "aws_organizations_organization" "this" {}
@@ -0,0 +1,37 @@
+
+resource "aws_securityhub_finding_aggregator" "main" {
+  linking_mode = "ALL_REGIONS"
+}
+
+resource "aws_securityhub_organization_configuration" "main" {
+  auto_enable           = false
+  auto_enable_standards = "NONE"
+  organization_configuration {
+    configuration_type = "CENTRAL"
+  }
+
+  depends_on = [aws_securityhub_finding_aggregator.main]
+}
+
+resource "aws_securityhub_configuration_policy" "org_policy" {
+  name        = "org_policy"
+  description = "This is a configuration policy"
+
+  configuration_policy {
+    service_enabled = true
+    enabled_standard_arns = [
+      "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
+      "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
+    ]
+    security_controls_configuration {
+      disabled_control_identifiers = []
+    }
+  }
+
+  depends_on = [aws_securityhub_organization_configuration.main]
+}
+
+resource "aws_securityhub_configuration_policy_association" "root_policy_association" {
+  target_id = data.aws_organizations_organization.this.roots[0].id
+  policy_id = aws_securityhub_configuration_policy.org_policy.id
+}