{"id":19607068,"url":"https://github.com/bookingcom/aws-security-connectors","last_synced_at":"2025-12-15T05:37:54.984Z","repository":{"id":49347736,"uuid":"253771900","full_name":"bookingcom/aws-security-connectors","owner":"bookingcom","description":"Tool which connects member AWS accounts security tooling to master account","archived":false,"fork":false,"pushed_at":"2023-02-26T12:41:29.000Z","size":41,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-01-02T22:56:46.386Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bookingcom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-07T11:22:10.000Z","updated_at":"2023-02-17T19:45:48.000Z","dependencies_parsed_at":"2024-06-21T01:08:08.982Z","dependency_job_id":"80d7dd18-cb9a-43f7-b160-2cf28b6f1c51","html_url":"https://github.com/bookingcom/aws-security-connectors","commit_stats":{"total_commits":12,"total_committers":2,"mean_commits":6.0,"dds":"0.16666666666666663","last_synced_commit":"282e33088c9dfefcc7df31e4d9826c4341a8419e"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Faws-security-connectors","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Faws-security-connectors/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Faws-security-connectors/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Faws-security-connectors/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bookingcom","download_url":"https://codeload.github.com/bookingcom/aws-security-connectors/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233164170,"owners_count":18634733,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-11T10:08:39.832Z","updated_at":"2025-09-15T22:31:31.443Z","avatar_url":"https://github.com/bookingcom.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Security Connectors [![Build Status](https://github.com/bookingcom/aws-security-connectors/workflows/build/badge.svg)](https://github.com/bookingcom/aws-security-connectors/actions/workflows/ci-build.yml) [![Run Status](https://github.com/bookingcom/aws-security-connectors/workflows/run/badge.svg)](https://github.com/bookingcom/aws-security-connectors/actions/workflows/ci-run.yml) [![Go Report Card](https://goreportcard.com/badge/github.com/bookingcom/aws-security-connectors)](https://goreportcard.com/report/github.com/bookingcom/aws-security-connectors) [![Image Size](https://img.shields.io/docker/image-size/paskal/aws-security-connectors)](https://hub.docker.com/r/paskal/aws-security-connectors)\n\n## Overview\n\nSupported actions:\n\n- [Palo Alto Networks Prisma Cloud](https://www.paloaltonetworks.com/cloud-security): add new account or\n update existing one with new information\n- AWS Security Hub: connect member account to master, both member and master must have service already enabled\n- AWS GuardDuty: connect member account to master, both member and master must have service already enabled\n- AWS Detective: connect member account to master, both member and master must have service already enabled\n\n## How to run\n\n```console\ngit clone https://github.com/bookingcom/aws-security-connectors.git\ncd aws-security-connectors\n# build a docker image with the application\ndocker-compose build aws-security-connectors\ndocker-compose run aws-security-connectors --help\n# or build on your machine\ngo build -o bin/aws-security-connectors main.go\n./bin/aws-security-connectors --help   \n```\n\n### Parameters\n\n| Command line          | Environment          | Default          | Description                           |\n| --------------------- | -------------------- | ---------------- | ------------------------------------- |\n| --aws.account_id      | AWS_ACCOUNT_ID       |                  | ID of AWS account to add, *required*  |\n| --aws.account_email   | AWS_ACCOUNT_EMAIL    |                  | Member account email for invitation sending |\n| --aws.role_name       | AWS_ROLE_NAME        |                  | Name of member account AWS role to assume for invitation accepting |\n| --aws.region_exceptions | AWS_REGION_EXCEPTIONS | `ap-east-1,me-south-1` | Regions to skip              |\n| --aws.detective       | AWS_DETECTIVE        |                  | Connect Detective                     |\n| --aws.guardduty       | AWS_GUARDDUTY        |                  | Connect GuardDuty                     |\n| --aws.security_hub    | AWS_SECURITY_HUB     |                  | Connect Security Hub                  |\n| --prisma.account_name | PRISMA_ACCOUNT_NAME  | aws_account_id   | Name for AWS connection               |\n| --prisma.external_id  | PRISMA_EXTERNAL_ID   |                  | An UUID that is used to enable the trust relationship in the role's trust policy |\n| --prisma.role_name    | PRISMA_ROLE_NAME     |                  | Name of AWS role, created for Prisma  |\n| --prisma.api_url      | PRISMA_API_URL       | `https://api.eu.prismacloud.io` | Prisma API URL         |\n| --prisma.api_key      | PRISMA_API_KEY       |                  | Prisma API key                        |\n| --prisma.api_password | PRISMA_API_PASSWORD  |                  | Prisma API password                   |\n| --dbg                 | DEBUG                |                  | debug mode                            |\n\n## Instructions\n\n### Palo Alto Prisma Cloud\n\nBefore proceeding, you need to do\n[initial AWS setup](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-to-prisma-cloud/onboard-your-aws-account/add-aws-cloud-account-to-prisma-cloud.html)\n(by Terraform, for example) as this program only connects specified account to Prisma using Prisma API.\n\nThen you need to generate Prisma Cloud API [Access Key](https://app.eu.prismacloud.io/settings/access_keys)\nwith System Admin permissions and write down Access Key ID and Secret Key: they should be passed as Key and Password to the program.\n\nThe last step is to run the program itself with the right environment variables:\n\n```sh\nAWS_ACCOUNT_ID=112233445566 \\\nPRISMA_API_KEY=00aaa000aa000a00aaaa000a0a00aaa00000 \\\nPRISMA_API_PASSWORD=aaa+0aaaaaaaaaaaaaaaa00a0aa= \\\nPRISMA_EXTERNAL_ID=0000aaa000a0000a0a00000000a0000a \\\nPRISMA_ROLE_NAME=PrismaReadOnlyRole \\\nPRISMA_ACCOUNT_NAME=\"AWS child account 1\" \\\n./bin/aws-security-connectors\n```\n\n### AWS Detective \\ Security Hub \\ GuardDuty\n\nBefore starting, you should have:\n\n- appropriate role credentials on host which is running the script\n    which are usable in [standard AWS way](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).\n    Required permissions:\n    ``` yaml\n    # for Detective\n    - \"detective:GetMembers\",\n    - \"detective:ListMembers\",\n    - \"detective:CreateMembers\",\n    - \"detective:ListGraphs\"\n    # for Security Hub\n    - \"securityhub:GetMembers\",\n    - \"securityhub:ListMembers\",\n    - \"securityhub:CreateMembers\",\n    - \"securityhub:InviteMembers\",\n    # for GuardDuty\n    - \"guardduty:GetMembers\"\n    - \"guardduty:ListMembers\"\n    - \"guardduty:CreateMembers\"\n    - \"guardduty:InviteMembers\"\n    - \"guardduty:ListDetectors\"\n    ```\n- role in member account which your currently used role can assume (`SecurityInviter` in example below)\n    with sufficient permissions:\n    ```yaml\n    # for Detective\n    - \"detective:AcceptInvitation\"\n    - \"detective:ListInvitations\"\n    # for Security Hub\n    - \"securityhub:AcceptInvitation\"\n    - \"securityhub:ListInvitations\"\n    # for GuardDuty\n    - \"guardduty:AcceptInvitation\"\n    - \"guardduty:ListInvitations\"\n    - \"guardduty:ListDetectors\"\n    ```\n- for any service, service enabled in both master and member account\n- for GuardDuty, detector enabled both in master and member account\n- for Detective, graph created in master account\n\nIf pre-requisites are present, run following command in order to get\nmember created in master account, invitation sent from master and accepted\nin member account:\n\n```sh\n# enable any set of following services, from one to all:\n#AWS_DETECTIVE=true \\\n#AWS_SECURITY_HUB=true \\\nAWS_GUARDDUTY=true \\\nAWS_ACCOUNT_ID=112233445566 \\\nAWS_ROLE_NAME=\"SecurityInviter\" \\\nAWS_ACCOUNT_EMAIL=\"test@example.org\" \\\n./bin/aws-security-connectors\n```\n\n## Acknowledgment\n\nThis software was originally developed at [Booking.com](http://www.booking.com).\nWith approval from [Booking.com](http://www.booking.com), this software was released\nas Open Source, for which the authors would like to express their gratitude.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbookingcom%2Faws-security-connectors","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbookingcom%2Faws-security-connectors","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbookingcom%2Faws-security-connectors/lists"}