{"id":19569626,"url":"https://github.com/skroutz/aws-securityhub-configuration","last_synced_at":"2026-05-15T04:32:02.621Z","repository":{"id":145025231,"uuid":"557249839","full_name":"skroutz/aws-securityhub-configuration","owner":"skroutz","description":"Configure AWS SecurityHub Subscriptions and Exceptions using GitOps","archived":false,"fork":false,"pushed_at":"2022-10-25T15:31:10.000Z","size":17,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-01-09T02:06:23.343Z","etag":null,"topics":["aws","security","securityhub","terraform","terragrunt"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/skroutz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"securityhub-configuration.yaml","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-25T10:53:04.000Z","updated_at":"2023-04-13T19:15:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"da9e09aa-48bb-438b-aa9c-bdcf526e2072","html_url":"https://github.com/skroutz/aws-securityhub-configuration","commit_stats":null,"previous_names":[],"tags_count":1,"template":true,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skroutz%2Faws-securityhub-configuration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skroutz%2Faws-securityhub-configuration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skroutz%2Faws-securityhub-configuration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skroutz%2Faws-securityhub-configuration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/skroutz","download_url":"https://codeload.github.com/skroutz/aws-securityhub-configuration/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240832851,"owners_count":19865002,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","security","securityhub","terraform","terragrunt"],"created_at":"2024-11-11T06:11:27.474Z","updated_at":"2026-05-15T04:31:57.598Z","avatar_url":"https://github.com/skroutz.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"AWS SecurityHub Configuration\n----\n\nThis repository contains all needed Terraform/Terragrunt code and Workflows to configure AWS SecurityHub for multiple AWS Accounts.\n\n## How to setup the repository\n\n1) Run the `bootstrap/` directory instructions under the AWS Account that manages the SecurityHub service in your AWS Organization\n(e.g account alias: `sechub-admin-account-alias`, account id: `012345678912`)\n2) Populate `aws_accounts/root.hcl` using the values provided by the `bootstrap/` output \n3) Remove the `aws_accounts/aws-account-alias` directory along with its reference in `aws_accounts/root.hcl` and `securityhub-configuration.yaml` (as they are code samples)\n\n\n## How to enroll a new AWS Account\n\n1) Set an AWS Account Alias for the AWS Account to be managed (e.g account alias: `aws-account-alias`, account id: `123456789012`)\n2) Create a `SecurityHubManageRole` by calling the [Terraform module](https://github.com/skroutz/aws-securityhub-configuration/tree/master/modules/terraform-aws-securityhub-manage-cross-account-iam-role) for the target AWS Account\n3) Add the AWS Account ID in [`bootstrap/locals.tf`](https://github.com/skroutz/aws-securityhub-configuration/blob/master/bootstrap/locals.tf#L18) and run `terraform apply` in `bootstrap/` to update the Deployer IAM Role (provide cross-account access to the Role created in `2)`)\n4) Add the Terraform code for the new AWS Account by running:\n```bash\ncp -r templates/_aws_account /aws_accounts/\u003cAWS Account Alias\u003e\n```\nThe `\u003cAWS Account Alias\u003e` needs to be the AWS Account Alias created in `1)`\n\n5) Add the YAML schema for the new AWS Account to `securityhub-configuration.yaml` [following this template](https://github.com/skroutz/aws-securityhub-configuration/blob/master/templates/account-configuration.yaml), and changing the `\u003cAWS-ACCOUNT-ALIAS\u003e` to the AWS Account Alias created in `1)`\n\n6) Update the `aws_accounts/root.hcl` `accounts_ids` local parameter with an entry as follows:\n```\n  accounts_ids = {\n    [...]\n    \"aws-account-alias\"  = {\"id\" = \"123456789012\", \"role_name\" = \"SecurityHubManageRole\"},\n  }\n``` \n\n7) Update the last section of this `README.md` file (optional - for housekeeping).\n\n## How to use\n\nThe only moving part in this repository after setup is the [`securityhub-configuration.yaml`](https://github.com/skroutz/aws-securityhub-configuration/blob/master/securityhub-configuration.yaml) file.\nThis file contains a YAML schema for each AWS Account set up with this repository. The schema looks as below and is explained in comments:\n\n```yaml\n# The Alias for the AWS Account - can be set/shown in console through IAM \u003e Dashboard\naws-account-alias:\n  # Enables/Disables Standards. Toggling to 'false' results in not showing issues from specific Ruleset\n  subscriptions:\n    CIS: true\n    AWS: true\n    PCI: true\n  # Independent management of specific rules - per Ruleset.\n  controls:\n    AWS:\n      disabled:     # List that accepts {\"id\":\"...\", \"reason\":\"...\"} maps\n      - id: \"EC2.19\"        # 'Security groups should not allow unrestricted access to ports with high risk'\n        reason: \"Test AWS\"  # Mandatory reason to disable this check for this AWS Account. Empty or no 'reason' key will fail\n    CIS:\n      disabled: []\t# Exactly as above. IDs look like `1.7`\n    PCI:\n      disabled: []\t# Exactly as above. IDs look like `PCI.Lambda.1`\n```\n\nChanging and commiting this file will trigger a [`terragrunt run-all plan`](https://github.com/skroutz/aws-securityhub-configuration/blob/master/.github/workflows/plan-on-push.yml) on PR and [`terragrunt run-all apply`](https://github.com/skroutz/aws-securityhub-configuration/blob/master/.github/workflows/apply-on-merge.yaml) on merge with `main` keeping the state locked and consistent.\n\n### *No changes to other files are needed to manage SecurityHub*\n\n---\n\n## How it works\n\nThe IAM Role assumed by the CI/CD Workflow (IAM Policy defined [here](https://github.com/skroutz/aws-securityhub-configuration/blob/master/bootstrap/iam-deployer-policy-securityhub.tf)) can assume cross-account IAM Roles that can access SecurityHub components for their respective AWS Accounts.\n\nSpecifically, it can assume out-of-the-box IAM Roles with ARNs like `arn:aws:iam::\u003cAWS Account ID\u003e:role/SecurityHubManageRole` for all AWS Account IDs [listed in `bootstrap/locals.tf`](https://github.com/skroutz/aws-securityhub-configuration/blob/master/bootstrap/locals.tf#L18).\n\nSuch IAM Roles are created using [this Terraform module](https://github.com/skroutz/aws-securityhub-configuration/tree/master/modules/terraform-aws-securityhub-manage-cross-account-iam-role), tailored for this use-case, as follows:\n\n```hcl\nmodule \"role\"{\n  source = \"../../modules/terraform-aws-securityhub-manage-cross-account-iam-role\"\n\n  admin_account_id = \"012345678912\"                  //  \u003c-- AWS 'sechub-admin-account-alias' account's ID       - not to be changed\n  admin_iam_role   = \"SecurityHubConfigDeployerRole\" //  \u003c-- Repository's deployer IAM Role defined in bootstrap - not to be changed\n\n  tags = {\n      DeployedFrom = \"https://github.com/skroutz/aws-securityhub-configuration\"\n      ManagedBy    = \"Terraform\"\n  }\n}\n```\n\nThis module can be used in AFT repositories to provision the appropriate IAM Role to all globally provisioned accounts (https://docs.aws.amazon.com/controltower/latest/userguide/aft-account-customization-options.html).\n\n\n## Managed AWS Accounts\n\n* `aws-account-alias` - `123456789012`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskroutz%2Faws-securityhub-configuration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fskroutz%2Faws-securityhub-configuration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskroutz%2Faws-securityhub-configuration/lists"}