-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlaunch.sh
executable file
·156 lines (121 loc) · 4.31 KB
/
launch.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/bin/bash
DEBUG="true"
abort(){
echo "$1"
exit 1;
}
check_exec(){
echo "Checking $1..."
command -v "$1" >/dev/null 2>&1;
}
check_env(){
echo "Checking environment"
CHECK_EXECS="aws jq"
for x in $CHECK_EXECS
do
check_exec "$x" || abort "Unable to find $x"
done
}
write_aws_credentials() {
sed \
-e "s#AWS_ACCESS_KEY_ID#$AWS_ACCESS_KEY_ID#g" \
-e "s#AWS_SECRET_ACCESS_KEY#$AWS_SECRET_ACCESS_KEY#g" \
/credentials.template > ~/.aws/credentials
}
write_aws_main_config() {
local CROSSACCOUNT_ROLE="$1"
local LIST_ACCOUNTS_ROLE="$2"
sed \
-e "s#CROSSACCOUNT_ROLE#$CROSSACCOUNT_ROLE#g" \
-e "s#LIST_ACCOUNTS_ROLE#$LIST_ACCOUNTS_ROLE#g" \
/config.template > ~/.aws/config
}
assume_role(){
local STS_ROLE="$1"
local JSON_STS=""
if [ -z "$STS_ROLE" ]; then
abort "You must provide a role arn :("
fi
if [ "$DEBUG" == "true" ]; then
aws sts get-caller-identity || abort "Unable to determine caller identity :("
fi
JSON_STS=$(aws sts assume-role --role-arn "$STS_ROLE" --role-session-name "EnableSecurityHub")
if [ -z "$JSON_STS" ]; then
abort "Unable to assume role :("
fi
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
export AWS_ACCESS_KEY_ID=$(echo "$JSON_STS" | jq -r .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo "$JSON_STS" | jq -r .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo "$JSON_STS" | jq -r .Credentials.SessionToken)
unset STS_ROLE
unset JSON_STS
}
organizations_list_accounts_to_csv(){
local OUTPUT="$1"
local EXCLUDE_ACCOUNT="$2"
local ACCOUNTS
ACCOUNTS=$(aws --profile listaccounts organizations list-accounts)
if [ -z "$ACCOUNTS" ]; then
abort "Unable to list accounts :("
fi
echo "AccountId,EmailAddress" > "${OUTPUT}"
jq -r '.Accounts[] | [ .Id, .Email ] | @csv' <<< "${ACCOUNTS}" | tr -d \" | grep -v "$EXCLUDE_ACCOUNT" >> "${OUTPUT}"
}
check_input(){
if [ -z "$1" ]; then
abort "You must provide the IAM USER ID :("
fi
if [ -z "$2" ]; then
abort "You must provide the IAM USER CREDENTIALS :("
fi
if [ -z "$3" ]; then
abort "You must provide the SecurityHubRoleName ARN (From the security account)"
fi
if [ -z "$4" ]; then
abort "You must provide the AWSLandingZoneReadOnlyListAccountsRole ARN (From the primary/master account)"
fi
if [ -z "$5" ]; then
abort "You must provide the AWSLandingZoneSecurityHubExecutionRole name (!! NOT ARN) for target accounts"
fi
if [ -z "$6" ]; then
echo "As you did not provide a comma separated list of regions to enable SecurityHub it will be enabled in all available regions"
fi
}
#Validate input parameters
if [ "$#" -lt 5 ]; then
abort "Invalid number of parameters :("
fi
SECURITYHUB_USER_ID="$1"
SECURITYHUB_ACCESS_KEY="$2"
SECURITYHUB_CROSSACCOUNT_ROLE="$3"
SECURITYHUB_LISTACCOUNTS_ROLE="$4"
SECURITYHUB_EXECUTION_ROLE="$5"
SECURITYHUB_REGIONS="$INPUT_SECURITYHUB_REGIONS"
echo "Found regions ${SECURITYHUB_REGIONS}"
# SECURITYHUB_REGIONS="eu-west-1,eu-west-2,eu-west-3,eu-central-1,us-east-1"
check_input "$SECURITYHUB_USER_ID" "$SECURITYHUB_ACCESS_KEY" "$SECURITYHUB_CROSSACCOUNT_ROLE" "$SECURITYHUB_LISTACCOUNTS_ROLE" "$SECURITYHUB_EXECUTION_ROLE" "$SECURITYHUB_REGIONS"
#Set internal variables from the parameters (which are also environment variables)
export AWS_ACCESS_KEY_ID="$SECURITYHUB_USER_ID"
export AWS_SECRET_ACCESS_KEY="$SECURITYHUB_ACCESS_KEY"
export AWS_SESSION_TOKEN=""
CROSS_ACCOUNT_ROLE="$SECURITYHUB_CROSSACCOUNT_ROLE"
DEPLOY_ROLE="$SECURITYHUB_EXECUTION_ROLE"
LIST_ACCOUNTS_ROLE="$SECURITYHUB_LISTACCOUNTS_ROLE"
SECURITY_ACCOUNT_ID=$(cut -f5 -d: <<< "$CROSS_ACCOUNT_ROLE")
mkdir -p ~/.aws
write_aws_credentials
write_aws_main_config "$CROSS_ACCOUNT_ROLE" "$LIST_ACCOUNTS_ROLE"
CMD_STRING="--master_account $SECURITY_ACCOUNT_ID --assume_role $DEPLOY_ROLE"
if [ "$SECURITYHUB_REGIONS" = "noregions" ]; then
echo "No region configured, not adding to the command"
else
CMD_STRING="$CMD_STRING --enabled_regions ${SECURITYHUB_REGIONS}"
fi
# List accounts retrieving the ID and store them in a CSV file
check_env
organizations_list_accounts_to_csv /tmp/organization.csv "$SECURITY_ACCOUNT_ID"
# Execute the script on CSV file as the security user
assume_role "$CROSS_ACCOUNT_ROLE"
/securityhub/enablesecurityhub.py $CMD_STRING /tmp/organization.csv