feat(aws): add securityhub + config org-wide delegated admin checks#11259
Open
ernestprovo23 wants to merge 1 commit into
Open
Conversation
Closes prowler-cloud#8710 (remaining 2 of 3 checks; guardduty check shipped via prowler-cloud#9867) Adds: - securityhub_delegated_admin_enabled_all_regions Verifies Security Hub has a delegated administrator configured org-wide, the hub is ACTIVE in all opted-in regions, and AutoEnable is on for new organization members. - config_delegated_admin_and_org_aggregator_all_regions Verifies AWS Config has a registered delegated administrator (via organizations:ListDelegatedAdministrators with ServicePrincipal= config.amazonaws.com) and at least one Configuration Aggregator with OrganizationAggregationSource.AllAwsRegions=true. Service extensions: - securityhub_service.py: new OrganizationAdminAccount model, paginated _list_organization_admin_accounts, per-hub _describe_organization_ configuration, organization auto-enable fields on SecurityHubHub. - config_service.py: new Aggregator + ConfigDelegatedAdministrator models, per-region _describe_configuration_aggregators, global Organizations call to enumerate Config-service delegated admins with explicit AccessDenied surfacing. Mirrors the pattern established by prowler-cloud#9867 (guardduty_delegated_admin_ enabled_all_regions). Tests: 9 new tests (4 securityhub + 5 config) using moto + targeted botocore monkey-patches for org APIs not in moto. Full regression across securityhub/config/organizations/guardduty: 108/108 passing.
github-actions
Bot
added
provider/aws
Contributor
|
✅ Conflict Markers Resolved All conflict markers have been successfully resolved in this pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Fixes #8710 (remaining 2 of the 3 checks proposed there; the GuardDuty check shipped via #9867)
In AWS Organizations, delegated administrators for core security services (GuardDuty, Security Hub, AWS Config) should be configured consistently across all opted-in regions. #9867 added
guardduty_delegated_admin_enabled_all_regions; this PR adds the remaining two checks @danibarranqueroo flagged as still open for contribution.Description
New check:
securityhub_delegated_admin_enabled_all_regions— verifies:securityhub:ListOrganizationAdminAccounts)ACTIVE(existing service state)securityhub:DescribeOrganizationConfiguration→AutoEnable)New check:
config_delegated_admin_and_org_aggregator_all_regions— verifies:config.amazonaws.com(organizations:ListDelegatedAdministratorswithServicePrincipalfilter)OrganizationAggregationSource.AllAwsRegions=true(config:DescribeConfigurationAggregators)Changes
prowler/providers/aws/services/securityhub/securityhub_service.py: addedOrganizationAdminAccountmodel, paginated_list_organization_admin_accounts, per-hub_describe_organization_configuration, andorganization_auto_enable/auto_enable_standards/organization_config_availablefields onSecurityHubHub. Both new fetchers tolerate theInvalidAccessException/AccessDeniedException/BadRequestExceptiontriad that Security Hub raises when not running from the management or delegated admin account.prowler/providers/aws/services/config/config_service.py: addedAggregatorandConfigDelegatedAdministratormodels, per-region_describe_configuration_aggregators, and a single_list_config_delegated_administratorscall against the Organizations API (uses a freshly builtself.session.client("organizations")since the call is global). AccessDenied is surfaced via adelegated_administrators_lookup_failedflag the check inspects.guardduty_delegated_admin_enabled_all_regions/.prowler/CHANGELOG.md: two### 🚀 Addedentries under 5.28.0.Tests
securityhub/,config/,organizations/,guardduty/: 108/108 passingteardown_methodevictssecurityhub_clientfromsys.modulesso the legacymock.patch-basedsecurityhub_enabled_test.py(which assumes a fresh module import) keeps working in the same pytest session. Tested across 3 random seeds withpytest-randomlyto confirm no order-dependent failures.Steps to review
securityhub_service.py— two new methods, one new model, three new fields onSecurityHubHubconfig_service.py— two new models, two new methods (one regional, one global).pyfiles for logic +mute_non_default_regionssupport.metadata.jsonfiles forRisklength (352, 340 — both ≤ 400),RelatedUrl="", severity, and resource-group selectionTo run the new tests:
Notes on the Config check name
The original issue proposed
config_delegated_admin_and_org_aggregator_all_regions. I used that exact name (per @danibarranqueroo's 2026-03-10 comment) since the Config check is structurally different from the SecurityHub/GuardDuty siblings — Config has no per-service delegated-admin API, so we go through Organizations and verify aggregator coverage rather than per-region enablement.License
This contribution is submitted under the Apache 2.0 license, consistent with the project license.
Checklist
### 🚀 Added