Leen supports a couple of different ways to authenticate with AWS SecurityHub. Here is a quick overview of the three different ways:

  1. AWS Direct Access: This is the simplest way to authenticate with AWS SecurityHub. It requires the AWS Access Key ID and AWS Secret Access Key.

  2. Leen Role Creation: Your end-user will have to create a new IAM role that Leen can assume. This role will only require the minimum permissions to read from SecurityHub.

  3. Role Chaining: This method involves creating a new IAM role in your account which has permissions to assume roles in your end-user’s account. Leen will then setup a role and trust relationship to use this role with permissions to the end-user’s SecurityHub.

AWS Direct Access

For Leen to authenticate with AWS SecurityHub using AWS Direct Access, we require the following:

  1. AWS Access Key ID: A unique identifier used to authenticate requests to AWS services.
  2. AWS Secret Access Key: A confidential string used in conjunction with the Access Key ID to securely sign API requests to AWS services.
  3. AWS Region (Optional): The AWS region to pull SecurityHub data from.

If you don’t already have an Access Key and Secret Access Key which you can use for this integration, you can follow these steps to create a new user with the minimum required permissions:

1

Create a new IAM User

In the AWS console, navigate to the IAM page and click on Users. From there, select the Create User button.

We recommend that you do not check the “AWS Management Console access” option.

2

Attach Policy to User

The next step is to attach the AWSSecurityHubReadOnlyAccess policy to the user. This policy allows the user to read from SecurityHub.

3

Create Access Key

Once you have created the user, as an admin user, you can create a new access key for the user and use these credentials to create a new SecurityHub connection in Leen.

Leen Role Creation

For Leen to authenticate with AWS SecurityHub using Leen Role Creation, we require the following:

  1. AWS Role ARN: The Amazon Resource Name (ARN) of the IAM role that grants Leen access to your AWS SecurityHub resources.
  2. External ID (Optional): A unique identifier set when creating the Leen Role.
  3. AWS Region (Optional): The AWS region to pull SecurityHub data from.
1

Create a new IAM Role

In the AWS console, navigate to the IAM page and click on “Roles.”From there, select the “Create Role” button.

For the Trusted entity type, choose the AWS Account option. Next, select Another AWS Account and enter the Leen AWS Account ID.

You can optionally enable “Require External ID” and provide a unique identifier, which serves as an additional security measure to ensure that only Leen can assume the role.

Please reach out to the Leen team to get the Leen AWS Account ID.

2

Add Permissions to the Role

To create the role with the minimum required permissions, we need to attach only the AWSSecurityHubReadOnlyAccess permissions to the role.

3

Review and create the role

Now, give the role a name and description and review the permissions and the trust policy being created for the role.

This trust policy allows the Leen AWS account to assume the role with the given AWSSecurityHubReadOnlyAccess permissions.

4

Get the Role ARN and External ID

Once you have created the role, you can copy the Role ARN and External ID from the role details page.

Use these credentials to create a new SecurityHub connection in Leen.

Role Chaining

Role Chaining is a method that allows one AWS role to assume another role, across different AWS accounts. In this setup, Leen will assume a role in your AWS account, which in turn has permissions to assume roles in your end-users’ accounts. This creates a chain of trust, granting Leen secure access to your end-user’s SecurityHub.

This method will require you to create a common role in your account with permissions to assume roles in your end-user’s account. If you already have a similar existing role setup in your AWS account that allows you to assume roles in your end-user’s account, you can update the trust relationship to allow Leen to assume that role.

Leen Role Chaining requires a one time Account level setup. This is to allow Leen to setup a role and trust relationship in your account. Please reach out to the Leen team to help you setup this role.

After Role chaining is setup at the Account level, different organizations within your account can create connections by providing the following:

  1. AWS Role ARN: The Amazon Resource Name (ARN) of the IAM role of the end-user which grants access to the common role in your account.
  2. External ID (Optional): Unique identifier between the end-user and the common role in your account.
  3. AWS Region (Optional): The AWS region to pull SecurityHub data from.
Credentials: Lacework CSPMIDP Integrations