Enable AWS Security Hub with CloudFormation Templates - amazon-web-services

The CloudFormation documentation for Security Hub is very limited.
I wonder if it is possible to do the following in CloudFormation
Enable Security Hub in specified accounts or all accounts for an
organization.
There’s a sample script to automate enabling Security Hub for multiple accounts but no CloudFormation implementation can be found:
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-multiaccount-script
Enable finding aggregation
It seems you can enable finding aggregation using console, CLI or API:
https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html
Specify Delegated Administrator by account id

Yes, you can do all these things through a custom resource in CloudFormation in the form of a lambda function.

Related

AWS application composer - is there any way to specify additional IAM POLICY

I am using AWS application composer to create my serverless stack.
Specifically on Lambdas, i need to add additional IAM policies that have been included in my Lambda code logic. For example, some of the AWS service IAM policies access. I know I can add the additional access after deployment at the AWS IAM page, however this is not ideal especially we might forget or it would be difficult to pass the setup code and templates to other teams.
Any insights? Thanks.
I have searched the reference or documentation but could not find any workaround.
If you are referring to policies attached to Lambda service role, you can add it.
Since Application Composer uses SAM AWS::Serverless::Function templating, you should be able to add it under the Policies field, it is in the Application Composer console under Details as well (you need to scroll down to the bottom)
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-policies
As stated in the documentation -
This property accepts a single string or a list of strings, and can be the name of AWS managed policies or AWS SAM policy templates, or inline IAM policy documents formatted in YAML.
You can try to add that in. For example:

AWS: How to find out minimum required IAM permissions for GitHub Actions integration

I need to create a CloudFormation SAM template that creates multiple resources. I also need to integrate GitHub Actions so code gets auto deployed on push. The problem is this requires that I give GitHub a lot of IAM permissions to do the necessary work. Note that I'm using an Open ID identity provider for GitHub as opposed to api keys.
How do I find out which IAM permissions are needed at minimum so I don't give GitHub more than what is necessary? Is there an AWS tool that can parse the deployment template and tell me which permissions are needed for both deployments and rollbacks?
No, there's no such tool. You can however look at the Cloudtrail logs to see which actions are being invoked by CloudFormation, and based on that you could put together the list of required policies.
Alternatively, you could replicate what the CloudFormation template is doing by using the AWS CLI. That way, you could use iamlive to generate the IAM policies required for those CLI commands.

Automate create same policy to all AWS Accounts

Looking for suggestions on an AWS use case.
I have a lot of accounts in my AWS.
I am looking to create the same policy in all of my accounts. Now I want to automate it.
1) Can I create any lambda function or cloud formation template or any way to automate the creation of the same policy in all of my accounts even if any new account is created and it needs to add to all existing accounts if it's not there?
2)If possible then how I can get access to lamda function to create policies.
Thanks
If you have multiple AWS accounts, you may want to consider using AWS Organizations and Service Control Policies (SCP). The policies are applied at a root level and affect all accounts under that root.
By using organizations, you can get events when account creation is completed and apply any additional changes to the account that you would like by using a Lambda function that receives a CloudWatch event. The event would contain information about the newly created account.
The two options that provided seem to require a lot of manual administrative overhead, but would be happy to answer your concerns. Creating Lambda function which creates policies is done using the SDK. There is an IAM method called "CreatePolicy" which provides this functionality.
If I'm understanding your needs here (and assuming they're still the same after almost 3 years), you might consider using CloudFormation StackSets instead. They allow you to define common resources, including policies, as a CloudFormation template and have that template deployed to every one of the accounts in your organization.
You'll need to enable trusted access for CloudFormation StackSets in your organization AWS account, which will allow it to deploy the stacks to the rest of your organization's accounts.
To create the stack you'll need to:
Define a CloudFormation template using either CloudFormation directly, or capturing the synthesized stack from an AWS CDK application.
Upload the produced template to a location in S3 that's accessible by your top-level organization account.
Create the StackSet in the CloudFormation console (or the CLI, CDK, etc). You can either deploy the stack to all accounts or filter by specific accounts or organizational units (OUs).
Once created, the stacks will be automatically deployed to the desired accounts, and kept up to date when the stack is updated. This will require you to define significantly less infrastructure.

AWS Lambda: Find Resources that are not Tagged

I am creating a config rule which uses a custom lambda function that checks if a configuration item has tags in it. I want the rule to run for all resources but I am finding that some resources such as IAM groups, roles, users, etc. cannot be tagged. Nevertheless, the configuration items for these resources have a tags attribute which makes it difficult to distinguish between resources that can be tagged but are not and resources that cannot be tagged at all.
Does anyone have any ideas on how I can filter out the resources which cannot be tagged?
I realize I could just identify what resources currently do not support tags by looking at the documentation and statically ignoring these types in the lambda but I would like a more dynamic solution which doesn't require me to update my lambda every time a new resource is discovered/released which does not support tags.
A little late to the party perhaps - better late than never! ;-)
Resources you can use with AWS Resource Groups and Tag Editor
You can use the AWS Management Console or the AWS CLI to create
resource groups and then interact with the member resources through
those groups. You can add tags to many AWS resources and then use
those tags to manage group membership. This topic describes the AWS
resources that you can include in resource groups by using AWS
Resource Groups, and the AWS resources that you can tag by using Tag
Editor...
Note: Adding tags to a AWS CloudFormation stack causes an update of the stack.
https://docs.aws.amazon.com/ARG/latest/userguide/supported-resources.html
AWS Resource Groups Tagging API Reference
AWS supports tagging on all core infrastructure resources that incur
charges. Most other AWS resources also support tagging. Some resources
support tagging only through that service's native tagging operations,
and don't yet support this API. See the documentation for an
individual service for information about that service's native tagging
operations…
You can use the Resource Groups Tagging API operations to complete the
following tasks:
Tag and untag supported resources located in the specified Region for the AWS account.
Use tag-based filters to search for resources located in the specified Region for the AWS account.
List all existing tag keys in the specified Region for the AWS account.
List all existing values for the specified key in the specified Region for the AWS account.
To use Resource Groups Tagging API operations, you must add the
following permissions to your IAM policy:
tag:GetResources
tag:TagResources
tag:UntagResources
tag:GetTagKeys
tag:GetTagValues
You'll also need permissions to access the resources of individual
services so that you can tag and untag those resources.
https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/overview.html
Services that support the Resource Groups Tagging API
You can use the Resource Groups Tagging API to tag resources for the
AWS services listed at the URL linked below.3
Note: The list includes only those AWS services that work with the
Resource Groups Tagging API.
If an AWS service isn't listed, you might still be able to tag that
service's resources by using the service's native tagging operations
instead of using the Resource Groups Tagging API operations. See the
documentation for an individual service for information about that
service's native tagging operations.
This lets you tag resources by using the AWS CLI version of the
service's operation. For example, you could tag an IAM user by using a
command similar to the following example:
$ aws iam tag-user --user-name kristy --tags Key=CostCenter,Value=1234
https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html

Is there a way to create AWS Dashboard using cloudformation or AWS CLI

I wanted to create an AWS Dashboard using cloudformation but did find a way.
Guess AWS has not yet added support for that.
As an alternative is it possible to create that using AWS CLI
AWS just announced support for this.
https://aws.amazon.com/blogs/aws/new-api-cloudformation-support-for-amazon-cloudwatch-dashboards/
CloudFormation documentation is also available: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-dashboard.html
If I'm correct your question is concerns Resource Groups. It is not possible at this time to create Resource Group in Cloud Formation Templates or via the awscli.
Resource Groups are tied to a User, not an account - so it's not possible to define them at an account level and allow Users to access them.
It's possible for a User to 'Share' a Resource Group they've created by passing a URL to another User.