Setting Up AWS SecurityHub With Terraform in a Minute

Written by mantux | Published 2022/01/14
Tech Story Tags: devops | aws | security | cloud-infrastructure | devops-security | devops-tools | setup-aws-securityhub | aws-securityhub-with-terraform | web-monetization

TLDRThe first section of the code enables SecurityHub automatically for all new accounts in the Organization. This lets us keep our environment fully compliant, and centralize all findings in security account. The second resource enables the CIS benchmark. This is very useful since it’ll give you a lot of checks that you can use to size the level of compliance resources in your accounts. The first time you enabled it, you need to add existing accounts in this way. For new accounts, you are covered with auto_enable flag.via the TL;DR App
I’m going to show you how to create a SecurityHub multi-account setup using terraform.

AWS Organizations

If you are using AWS Organizations, you have something similar to the setup below. For configuring SecurityHub at the Organization level, you need to add 
securityhub.amazonaws.com
 to service access principals. In this way, you’re telling Organizations that you want to use SecurityHub.
A best practice recommended by AWS is to delegate all security-related systems to a separate account, like a security or audit account. It’s a bad practice to mix Organization service with security services. If you do that, you will end up granting account access to users that not necessarily are Security Staff, like Finance people that need access to the Organization service account to see the bills.
At the last part of the code you can see the delegation resource, and the 
admin_account_id
, which in this case is the id of the security account.
Cheers! You have configured Organizations and delegated administration of SecurityHub to security account, well done.

SecurityHub

It’s time to go to the security account.
Depending on the setup you have for terraform projects, you will have both accounts in the same terraform project, or maybe you have them in different projects separated by directories, so you need to figure out where it’s the best place to put your code, depending on your setup.
The first section of the code enables SecurityHub automatically for all new accounts in the Organization. This lets us keep our environment fully compliant and centralize all findings in the security account.
The second resource enables the CIS benchmark. This is very useful since it’ll give you a lot of checks that you can use to size the level of compliance resources in your accounts.
Finally, we add two existing accounts to SecurityHub as members. The first time you enable it, you need to add existing accounts in this way. For new accounts, you are covered with 
auto_enable
 flag.

That’s Not All, Folks!

I hope that you’ve learned something new with my post, and if this is your case, I encourage you to become one of my followers. You’ll be notified when I upload more useful content like this one.
Also Published Here
Written by mantux | Cloud Security Engineer | Researcher | Blogger | Soccer player
Published by HackerNoon on 2022/01/14
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy