From eddf81ee1d3de96c253b1fd3052110f3e3a3aa92 Mon Sep 17 00:00:00 2001
From: Chris Farris <chrisf@primeharbor.com>
Date: Tue, 8 Aug 2023 09:18:34 -0400
Subject: [PATCH] Moved to
 https://github.com/primeharbor/pht-securityhub-management

---
 .../configure_securityhub_admin_account.sh    | 28 ---------------
 scripts/disable_security_hub.sh               | 13 -------
 scripts/disable_security_hub_standards.sh     | 35 -------------------
 scripts/enable_securityhub_delegation.sh      | 18 ----------
 4 files changed, 94 deletions(-)
 delete mode 100755 scripts/configure_securityhub_admin_account.sh
 delete mode 100755 scripts/disable_security_hub.sh
 delete mode 100755 scripts/disable_security_hub_standards.sh
 delete mode 100755 scripts/enable_securityhub_delegation.sh

diff --git a/scripts/configure_securityhub_admin_account.sh b/scripts/configure_securityhub_admin_account.sh
deleted file mode 100755
index 6ece93a..0000000
--- a/scripts/configure_securityhub_admin_account.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/bash
-
-# Script to enable SecurityHub in each region in the Delegated Admin Account
-
-# We need to get a list of the accounts to then add as members. This actually comes from the Organizations API which we now have access to as a Delegated Admin Child
-aws organizations list-accounts | jq '[ .Accounts[] | { AccountId: .Id, Email: .Email } ]' > ACCOUNT_INFO.txt
-
-REGIONS=`aws ec2 describe-regions --query 'Regions[].[RegionName]' --output text`
-for r in $REGIONS ; do
-  echo "Enabling SecurityHub Delegated Admin in $r"
-
-  # Enable Security Hub in this delegated Admin account
-  aws securityhub enable-security-hub --no-enable-default-standards --output text --region $r
-
-  sleep 10
-
-  # Update the org config to auto-enable new accounts
-  aws securityhub update-organization-configuration --auto-enable --region $r
-
-  # Add all of the existing accounts
-  aws securityhub create-members --account-details file://ACCOUNT_INFO.txt --region $r
-
-  # Configure the Consolidated controls and enable all the controls for the enabled frameworks
-  aws securityhub update-security-hub-configuration --auto-enable-controls --control-finding-generator SECURITY_CONTROL --region $r
-done
-
-# cleanup
-rm ACCOUNT_INFO.txt
\ No newline at end of file
diff --git a/scripts/disable_security_hub.sh b/scripts/disable_security_hub.sh
deleted file mode 100755
index 7ed4530..0000000
--- a/scripts/disable_security_hub.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-PROFILE=""
-
-if [ ! -z "$1" ] ; then
-	PROFILE="--profile $1"
-fi
-
-REGIONS=`aws ec2 describe-regions --query 'Regions[].[RegionName]' --output text  $PROFILE`
-for r in $REGIONS ; do
-  echo "Disabling Security Hub in ${r}"
-  aws securityhub disable-security-hub --region $r  $PROFILE
-done
\ No newline at end of file
diff --git a/scripts/disable_security_hub_standards.sh b/scripts/disable_security_hub_standards.sh
deleted file mode 100755
index e1fecd8..0000000
--- a/scripts/disable_security_hub_standards.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/bash
-
-ROLENAME=$1
-
-if [ -z $ROLENAME ] ; then
-  echo "usage $0 <ROLENAME>"
-  exit 1
-fi
-
-while read line ; do
-
-  # extract the values we need
-  ACCOUNT_ID=`echo $line | awk '{print $1}'`
-
-  aws sts assume-role --role-arn arn:aws:iam::$ACCOUNT_ID:role/$ROLENAME --role-session-name Disable-Security-Hub-Standards --query Credentials > ${ACCOUNT_ID}_creds.json
-
-  export AWS_SECRET_ACCESS_KEY=`cat ${ACCOUNT_ID}_creds.json | jq .SecretAccessKey -r`
-  export AWS_ACCESS_KEY_ID=`cat ${ACCOUNT_ID}_creds.json | jq .AccessKeyId -r `
-  export AWS_SESSION_TOKEN=`cat ${ACCOUNT_ID}_creds.json | jq .SessionToken -r `
-  rm ${ACCOUNT_ID}_creds.json
-
-  REGIONS=`aws ec2 describe-regions --query 'Regions[].[RegionName]' --output text`
-  for r in $REGIONS ; do
-    echo "Disabling all Security Hub standards in $ACCOUNT_ID ${r}"
-    STANDARDS=`aws securityhub get-enabled-standards --query StandardsSubscriptions[].StandardsSubscriptionArn --output text --region $r`
-    if [[ ! -z "$STANDARDS" ]] ; then
-      aws securityhub batch-disable-standards --standards-subscription-arns $STANDARDS --region $r --output text
-    else
-      echo "No enabled standards in $ACCOUNT_ID ${r}"
-    fi
-  done
-  unset AWS_SECRET_ACCESS_KEY AWS_ACCESS_KEY_ID AWS_SESSION_TOKEN
-
-done < <(aws organizations list-accounts --query Accounts[].[Id,Status] --output text | grep ACTIVE )
-
diff --git a/scripts/enable_securityhub_delegation.sh b/scripts/enable_securityhub_delegation.sh
deleted file mode 100755
index ff2d8ea..0000000
--- a/scripts/enable_securityhub_delegation.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-# Script to enable Delegated Admin in a payer account for all Regions
-
-SECURITY_ACCOUNT=$1
-
-if [ -z $SECURITY_ACCOUNT ] ; then
-	echo "Usage: $0 <security_account_id>"
-	exit 1
-fi
-
-REGIONS=`aws ec2 describe-regions --query 'Regions[].[RegionName]' --output text`
-for r in $REGIONS ; do
-  echo "Enabling SecurityHub Delegated Admin in $r"
-  aws securityhub enable-organization-admin-account --admin-account-id $SECURITY_ACCOUNT --region $r
-  aws securityhub enable-security-hub --no-enable-default-standards --output text --region $r 
-
-done
\ No newline at end of file