multiaccount-enable/EnableSecurityHub.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Creates a new role to allow an administrator account to enable and manage SecurityHub.

Parameters:
  AdministratorAccountId:
    Type: String
    Description: AWS Account Id of the administrator account (the account in which will recieve SecurityHub findings from member accounts).
    MaxLength: 12
    MinLength: 12
  CreateInstanceRole:
    Type: String
    Description: Select Yes to create an EC2 instance role that can be attached to an instnace in the Master account which will allow the instance to assume the exection role.  Select No if you plan to run the script locally or are creating the stack in a member account.
    AllowedValues: ["Yes", "No"]
Conditions:
  CreateInstanceRole: !Equals [!Ref CreateInstanceRole, "Yes"]
Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: ManageSecurityHub
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Ref AdministratorAccountId
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: ManageSecurityHub
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: "iam:CreateServiceLinkedRole"
                Resource: "*"
                Condition:
                  StringLike:
                    "iam:AWSServiceName": 
                      - "securityhub.amazonaws.com"
                      - "config.amazonaws.com"
              - Effect: Allow
                Action: "securityhub:*"
                Resource: "*"
              - Effect: Allow
                Action: 
                  - config:DescribeConfigurationRecorders
                  - config:DescribeDeliveryChannels
                  - config:DescribeConfigurationRecorderStatus
                  - config:DeleteConfigurationRecorder
                  - config:DeleteDeliveryChannel
                  - config:PutConfigurationRecorder
                  - config:PutDeliveryChannel
                  - config:StartConfigurationRecorder
                Resource: "*"
              - Effect: "Allow"
                Action: "iam:PassRole"
                Resource: "arn:aws:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
              - Effect: "Allow"
                Action:
                  - "s3:CreateBucket"
                  - "s3:PutBucketPolicy"
                  - "s3:ListBucket"
                Resource: "arn:aws:s3:::config-bucket-*"

  InstanceRole:
    Type: AWS::IAM::Role
    Condition: CreateInstanceRole
    Properties:
      RoleName: ManageSecurityHubInstanceRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Principal: 
              Service: 
                - "ec2.amazonaws.com"
            Action: 
              - "sts:AssumeRole"
      Policies:
      -
        PolicyName: ManageSecurityHubPolicy
        PolicyDocument: 
          Version: "2012-10-17"
          Statement: 
            - 
              Effect: "Allow"
              Action: "sts:AssumeRole"
              Resource: !Join ["", ["arn:aws:iam::*:role/",!Ref ExecutionRole]]
  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Condition: CreateInstanceRole
    Properties: 
      Path: /
      Roles:
        - !Ref InstanceRole
      InstanceProfileName: EnableSecurityHub