Merge develop 1.5.13 into master

digitc1 · Jan 7, 2025 · 9c1dff7 · 9c1dff7
2 parents d7e2f5b + be57075
commit 9c1dff7
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 2 deletions.
diff --git a/CFN/EC-lz-Config-Guardduty-all-regions.yml b/CFN/EC-lz-Config-Guardduty-all-regions.yml
@@ -42,7 +42,7 @@ Parameters:
   OrganizationOuId:
     Description: 'Organizational OU Id'
     Type: String
-    Default: "/org/member/SecLogOU"
+    Default: "o-jyyw8qs5c8"
 
 Conditions:
   IsSecLogMasterAccount: !Equals

diff --git a/EC-SLZ-Version.txt b/EC-SLZ-Version.txt
@@ -1 +1 @@
-1.5.12
+1.5.13
diff --git a/SH/EC-Disable-SecurityHub-Guardduty-MEMBER.sh b/SH/EC-Disable-SecurityHub-Guardduty-MEMBER.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# Fetch the list of all enabled AWS regions
+REGIONS=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text)
+
+# Function to disable Security Hub
+disable_securityhub() {
+    echo "Disabling Security Hub in region: $1"
+
+    # Check if Security Hub is enabled
+    STATUS=$(aws securityhub get-findings --region $1 --max-items 1 2>&1)
+    if [[ "$STATUS" == *"Security Hub is not enabled"* ]]; then
+        echo "Security Hub is already disabled in region: $1"
+        return
+    fi
+
+    # Disable Security Hub
+    aws securityhub disable-security-hub --region $1 > /dev/null 2>&1
+
+    if [ $? -eq 0 ]; then
+        echo "Successfully disabled Security Hub in region: $1"
+    else
+        echo "Failed to disable Security Hub in region: $1"
+    fi
+}
+
+# Function to disable GuardDuty
+disable_guardduty() {
+    echo "Disabling GuardDuty in region: $1"
+
+    # Retrieve the GuardDuty Detector ID
+    DETECTOR_ID=$(aws guardduty list-detectors --region $1 --query "DetectorIds[0]" --output text)
+
+    if [ -z "$DETECTOR_ID" ] || [ "$DETECTOR_ID" == "None" ]; then
+        echo "GuardDuty is already disabled in region: $1"
+        return
+    fi
+
+    # Disable GuardDuty
+    aws guardduty delete-detector --detector-id $DETECTOR_ID --region $1 > /dev/null 2>&1
+
+    if [ $? -eq 0 ]; then
+        echo "Successfully disabled GuardDuty in region: $1"
+    else
+        echo "Failed to disable GuardDuty in region: $1"
+    fi
+}
+
+# Loop through all regions and disable Security Hub and GuardDuty
+for REGION in $REGIONS; do
+    echo "Processing region: $REGION"
+
+    # Disable Security Hub
+    disable_securityhub $REGION
+
+    # Disable GuardDuty
+    disable_guardduty $REGION
+
+done
+
+echo "Decommissioning Security Hub and GuardDuty completed in all regions."
diff --git a/SH/EC-Disassociate-SecurityHub-Guardduty-MASTER.sh b/SH/EC-Disassociate-SecurityHub-Guardduty-MASTER.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# Check if an Account ID is provided as a parameter
+if [ -z "$1" ]; then
+    echo "Usage: $0 <MEMBER_ACCOUNT_ID>"
+    exit 1
+fi
+
+# Assign the passed Account ID to a variable
+MEMBER_ACCOUNT_ID="$1"
+
+# Fetch the list of all enabled AWS regions
+REGIONS=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text)
+
+# Function to disassociate Security Hub member accounts
+disassociate_securityhub() {
+    echo "Disassociating Security Hub members in region: $1"
+
+    aws securityhub disassociate-members \
+        --account-ids $MEMBER_ACCOUNT_ID \
+        --region $1
+
+    if [ $? -eq 0 ]; then
+        echo "Successfully disassociated Security Hub member in region: $1"
+    else
+        echo "Failed to disassociate Security Hub member in region: $1"
+    fi
+}
+
+# Function to disassociate GuardDuty member accounts
+disassociate_guardduty() {
+    echo "Disassociating GuardDuty members in region: $1"
+
+    # Retrieve the GuardDuty detector ID
+    DETECTOR_ID=$(aws guardduty list-detectors --region $1 --query "DetectorIds[0]" --output text)
+
+    if [ "$DETECTOR_ID" == "None" ] || [ -z "$DETECTOR_ID" ]; then
+        echo "No GuardDuty detector found in region: $1. Skipping."
+        return
+    fi
+
+    aws guardduty disassociate-members \
+        --detector-id $DETECTOR_ID \
+        --account-ids $MEMBER_ACCOUNT_ID \
+        --region $1
+
+    if [ $? -eq 0 ]; then
+        echo "Successfully disassociated GuardDuty member in region: $1"
+    else
+        echo "Failed to disassociate GuardDuty member in region: $1"
+    fi
+}
+
+# Loop through each region and disassociate members
+for REGION in $REGIONS; do
+    echo "Processing region: $REGION"
+
+    # Disassociate Security Hub member
+    disassociate_securityhub $REGION
+
+    # Disassociate GuardDuty member
+    disassociate_guardduty $REGION
+done
+
+echo "Disassociation process for Security Hub and GuardDuty completed."
diff --git a/SH/EC-Enable-SecurityHub-Controls-All-Regions.sh b/SH/EC-Enable-SecurityHub-Controls-All-Regions.sh
@@ -61,6 +61,10 @@ configure() {
         # Disable "ControlId": "CIS1.14", "1.14 Ensure hardware MFA is enabled for the \"root\" account"
         aws --profile $PROFILE --region $region securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:$region:$accountid:control/cis-aws-foundations-benchmark/v/1.2.0/1.14" --control-status "DISABLED" --disabled-reason "Managed by Cloud Broker Team"
         echo "CIS Check CIS1.14 update for cis-aws-foundations-benchmark in region $region: exit code $?"
+
+        # Turn off the check for AWS Config service-linked role
+        aws --profile $PROFILE --region $region securityhub update-security-control --security-control-id "Config.1" --parameters '{"includeConfigServiceLinkedRoleCheck": {"ValueType": "CUSTOM", "Value": {"Boolean": false}}}' --last-update-reason "The LZ does not use the AWS Config service-linked role"
+        echo "Config.1 update for cis-aws-foundations-benchmark in region $region: exit code $?"
     done
 
     # ------------------
@@ -90,6 +94,10 @@ configure() {
         aws --profile $PROFILE --region $region securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:$region:$accountid:control/cis-aws-foundations-benchmark/v/1.2.0/1.14" --control-status "DISABLED" --disabled-reason "Managed by Cloud Broker Team"
         echo "CIS Check CIS1.14 update for cis-aws-foundations-benchmark in region $region: exit code $?"
 
+        # Turn off the check for AWS Config service-linked role
+        aws --profile $PROFILE --region $region securityhub update-security-control --security-control-id "Config.1" --parameters '{"includeConfigServiceLinkedRoleCheck": {"ValueType": "CUSTOM", "Value": {"Boolean": false}}}' --last-update-reason "The LZ does not use the AWS Config service-linked role"
+        echo "Config.1 update for cis-aws-foundations-benchmark in region $region: exit code $?"
+
     done
 }