Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About AWS Security Hub

AWS Security Hub aggregates findings and compliance posture across enabled Regions. Security Hub must be turned on where you expect evidence. Iru assumes a cross-account IAM role and reads securityhub: metadata APIs.

How it works

Attach AWSSecurityHubReadOnlyAccess or use: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "securityhub:Get*",
        "securityhub:List*",
        "securityhub:BatchGet*",
        "securityhub:Describe*"
      ],
      "Resource": "*"
    }
  ]
}
DetailValue
CategorySecurity posture
AuthenticationCross-account IAM role

Prerequisites

  • IAM admin rights.
  • Security Hub enabled per Region under review.

Connect AWS Security Hub to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS Security Hub

Find AWS Security Hub (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

Copy the trust policy exactly as shown in the wizard. The shape below matches what IAM expects for the role Trust policy editor (full document with Version and Statement). Always use the principal and external ID from your live wizard if they differ:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the value from Iru.
3

Attach Security Hub permissions

Attach AWSSecurityHubReadOnlyAccess, or attach an inline policy matching the JSON under How it works above.
4

Name the role and copy the ARN

Name the role, create it, and copy the Role ARN.
5

Verify the trust relationship

Confirm Trust relationships matches the wizard JSON.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Return to Iru. Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS Security Hub shows Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Enable Security Hub there first.
External ID mismatch.

See also