sraverify 0.1.0__py3-none-any.whl

sraverify/services/securityhub/checks/sra_securityhub_02.py

@@ -0,0 +1,114 @@
+"""
+SRA-SECURITYHUB-02: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_02(SecurityHubCheck):
+    """Check if Security Hub is configured to auto-enable new security controls."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-02"
+        self.check_name = "Security Hub auto-enable new standards is enabled"
+        self.account_type = "audit"  # This check is for the audit account
+        self.severity = "MEDIUM"
+        self.description = (
+            "This check verifies whether Security Hub is configured to auto-enable new security standards "
+            "as they are added to existing standards. This will ensure that as existing standards are updated "
+            "with new controls, the AWS account gets evaluated on those new controls."
+        )
+        self.check_logic = (
+            "Check evaluates if Security Hub describe organization configuration has AutoEnableStandards set to true."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get organization configuration for this region
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if Security Hub organization configuration is available
+            if not org_config:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"securityhub:configuration/{self.account_id}",
+                        checked_value="Security Hub organization configuration available",
+                        actual_value=f"Unable to retrieve Security Hub organization configuration in region {region}",
+                        remediation="Ensure Security Hub is enabled and this account has organization admin permissions"
+                    )
+                )
+                continue
+            
+            # Check if using central configuration
+            org_configuration = org_config.get('OrganizationConfiguration', {})
+            config_type = org_configuration.get('ConfigurationType')
+            
+            resource_id = f"securityhub:configuration/{self.account_id}"
+            
+            if config_type == 'CENTRAL':
+                # In central configuration, AutoEnableStandards is always NONE
+                # This is expected behavior, so it should PASS with appropriate messaging
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="Central configuration enabled for auto-enable standards management",
+                        actual_value=f"Security Hub uses central configuration [ConfigurationType: CENTRAL] in region {region}",
+                        remediation="No remediation needed - central configuration manages standards automatically through configuration policies"
+                    )
+                )
+            else:
+                # For local configuration, check AutoEnable and AutoEnableStandards
+                auto_enable = org_config.get('AutoEnable', False)
+                auto_enable_standards = org_config.get('AutoEnableStandards', 'NONE')
+                
+                # AutoEnableStandards can be "NONE", "DEFAULT", or "NEW_CONTROLS"
+                # Both "DEFAULT" and "NEW_CONTROLS" indicate auto-enable is working
+                # "DEFAULT" means new controls in existing standards are auto-enabled
+                # "NEW_CONTROLS" means new controls are auto-enabled (newer API version)
+                auto_enable_new_controls = auto_enable_standards in ['DEFAULT', 'NEW_CONTROLS']
+                
+                if not auto_enable or not auto_enable_new_controls:
+                    findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="AutoEnable: true, AutoEnableStandards: DEFAULT or NEW_CONTROLS",
+                            actual_value=f"Security Hub auto-enable configuration [AutoEnable: {auto_enable}, AutoEnableStandards: {auto_enable_standards}] in region {region}",
+                            remediation=(
+                                "Enable auto-enable new controls in Security Hub. In the Security Hub console, "
+                                "navigate to Settings > General > Configuration > Auto-enable new controls, and enable this setting. "
+                                "Alternatively, use the AWS CLI command: "
+                                f"aws securityhub update-organization-configuration --auto-enable --auto-enable-standards DEFAULT --region {region}"
+                            )
+                        )
+                    )
+                else:
+                    findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="AutoEnable: true, AutoEnableStandards: DEFAULT or NEW_CONTROLS",
+                            actual_value=f"Security Hub auto-enable is properly configured [AutoEnable: {auto_enable}, AutoEnableStandards: {auto_enable_standards}] in region {region}",
+                            remediation="No remediation needed"
+                        )
+                    )
+        
+        return findings

sraverify/services/securityhub/checks/sra_securityhub_03.py

@@ -0,0 +1,136 @@
+"""
+SRA-SECURITYHUB-03: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_03(SecurityHubCheck):
+    """Check if Security Hub administration for the account matches delegated administrator."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-03"
+        self.check_name = "Security Hub administration for the account matches delegated administrator"
+        self.account_type = "management"  # This check is for the management account
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Security Hub service administration for the AWS account is set to "
+            "AWS Organization delegated admin account for Security Hub."
+        )
+        self.check_logic = (
+            "Check evaluates securityhub list-organization-admin-accounts and organizations list-delegated-administrators "
+            "--service-principal securityhub.amazonaws.com. Check PASS if AccountID and ID returned are the same."
+        )
+        self._audit_accounts = []  # Will be populated from command line args
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # We only need to check one region for this
+        region = self.regions[0]
+        
+        # Get delegated administrators for Security Hub
+        delegated_admins = self.get_delegated_administrators(region)
+        
+        # Get organization admin accounts
+        org_admin_accounts = self.get_organization_admin_accounts(region)
+        
+        resource_id = f"delegated-admin/{self.account_id}"
+        
+        # Check if there are any delegated administrators
+        if not delegated_admins:
+            # Format the actual value properly
+            actual_value = 'aws organizations list-delegated-administrators --service-principal securityhub.amazonaws.com - No delegated administrators found'
+            
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value="Security Hub delegated administrator matches organization admin account",
+                    actual_value=actual_value,
+                    remediation=(
+                        "Register a delegated administrator for Security Hub. In the AWS Console, navigate to "
+                        "Organizations, go to Services, find Security Hub, and register a delegated administrator. "
+                        "Alternatively, use the AWS CLI command: "
+                        "aws organizations register-delegated-administrator --account-id [AUDIT_ACCOUNT_ID] "
+                        "--service-principal securityhub.amazonaws.com"
+                    )
+                )
+            )
+            return findings
+        
+        # Check if there are any organization admin accounts
+        if not org_admin_accounts:
+            # Format the actual value properly
+            actual_value = 'aws securityhub list-organization-admin-accounts - No Security Hub admin account found'
+            
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value="Security Hub delegated administrator matches organization admin account",
+                    actual_value=actual_value,
+                    remediation=(
+                        "Enable a Security Hub administrator account. In the AWS Console, navigate to Security Hub "
+                        "in the management account, go to Settings > General, and set the administrator account. "
+                        "Alternatively, use the AWS CLI command: "
+                        "aws securityhub enable-organization-admin-account --admin-account-id [ADMIN_ID]"
+                    )
+                )
+            )
+            return findings
+        
+        # Get the delegated admin ID and organization admin ID
+        delegated_admin_id = delegated_admins[0].get('Id') if delegated_admins else None
+        org_admin_id = org_admin_accounts[0].get('AccountId') if org_admin_accounts else None
+        
+        # Format the actual values properly
+        delegated_admin_value = f'aws organizations list-delegated-administrators --service-principal securityhub.amazonaws.com - "DelegatedAdministrators": "Id": "{delegated_admin_id}"'
+        org_admin_value = f'aws securityhub list-organization-admin-accounts - "AdminAccounts": "AccountId": "{org_admin_id}"'
+        
+        # Check if they match
+        if delegated_admin_id and org_admin_id and delegated_admin_id == org_admin_id:
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value="Security Hub delegated administrator matches organization admin account",
+                    actual_value=f"{delegated_admin_value} matches {org_admin_value}",
+                    remediation="No remediation needed"
+                )
+            )
+        else:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value="Security Hub delegated administrator matches organization admin account",
+                    actual_value=f"{delegated_admin_value} does not match {org_admin_value}",
+                    remediation=(
+                        "Update the Security Hub delegated administrator and organization admin account to match. "
+                        "First, deregister the current delegated administrator using: "
+                        f"aws organizations deregister-delegated-administrator --account-id {delegated_admin_id} "
+                        "--service-principal securityhub.amazonaws.com\n"
+                        "Then, register the correct account as the delegated administrator using: "
+                        "aws organizations register-delegated-administrator --account-id [CORRECT_ACCOUNT_ID] "
+                        "--service-principal securityhub.amazonaws.com\n"
+                        "Finally, enable the same account as the Security Hub administrator using: "
+                        "aws securityhub enable-organization-admin-account --admin-account-id [CORRECT_ACCOUNT_ID]"
+                    )
+                )
+            )
+        
+        return findings

sraverify/services/securityhub/checks/sra_securityhub_04.py

@@ -0,0 +1,75 @@
+"""
+SRA-SECURITYHUB-04: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_04(SecurityHubCheck):
+    """Check if Security Hub central configuration is enabled."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-04"
+        self.check_name = "Security Hub central configuration is enabled"
+        self.account_type = "audit"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Security Hub is configured for central configuration. "
+            "Central configuration allows the delegated administrator to manage Security Hub, "
+            "standards, and controls across all organization accounts from a single location."
+        )
+        self.check_logic = (
+            "Check evaluates if Security Hub organization configuration has ConfigurationType "
+            "set to CENTRAL and Status set to ENABLED in the delegated administrator account in all regions."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        for region in self.regions:
+            org_config = self.get_organization_configuration(region)
+            
+            org_configuration = org_config.get('OrganizationConfiguration', {})
+            config_type = org_configuration.get('ConfigurationType')
+            status = org_configuration.get('Status')
+            
+            resource_id = f"securityhub:hub/{self.account_id}"
+            
+            if config_type != 'CENTRAL' or status != 'ENABLED':
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="OrganizationConfiguration Configuration Type is Central and Status Enabled",
+                        actual_value=f"Security Hub delegated admin {self.account_id} is not setup properly to view findings for associated member accounts via ConfigurationType:{config_type} and Status:{status} in region {region}",
+                        remediation=(
+                            "Configure Security Hub with central configuration. In the Security Hub delegated admin account, "
+                            "navigate to Settings > General > Configuration and select 'Centrally manage Security Hub across all accounts in your organization'. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securityhub update-organization-configuration --organization-configuration ConfigurationType=CENTRAL --region {region}"
+                        )
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="OrganizationConfiguration Configuration Type is Central and Status Enabled",
+                        actual_value=f"Security Hub delegated admin {self.account_id} is setup properly to view findings for associated member accounts via ConfigurationType:{config_type} and Status:{status} in region {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return findings

sraverify/services/securityhub/checks/sra_securityhub_05.py

@@ -0,0 +1,102 @@
+"""
+SRA-SECURITYHUB-05: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_05(SecurityHubCheck):
+    """Check if Security Hub has integrations with findings generating products."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-05"
+        self.check_name = "Security Hub integration with findings generating products"
+        self.account_type = "audit"  # This check is for the audit account
+        self.severity = "MEDIUM"
+        self.description = (
+            "This check verifies whether Security Hub has expected integration with AWS services "
+            "and third party products to ingest security findings."
+        )
+        self.check_logic = (
+            "Check looks in audit account to evaluate see what types of findings are being ingested. "
+            "PASS if there are any products listed."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get enabled products for import in this specific region
+            enabled_products = self.get_enabled_products_for_import(region)
+            
+            resource_id = f"securityhub:integrations/{self.account_id}"
+            
+            # Check if Security Hub is not enabled (None response)
+            if enabled_products is None:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="Security Hub enabled with product integrations",
+                        actual_value=f"Security Hub is not enabled in region {region}",
+                        remediation=(
+                            f"Enable Security Hub in region {region} first. "
+                            "Use the AWS CLI command: "
+                            f"aws securityhub enable-security-hub --region {region}, "
+                            "then configure product integrations."
+                        )
+                    )
+                )
+            elif not enabled_products:
+                # Security Hub is enabled but no products configured
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="List of products that are enabled in Security Hub",
+                        actual_value=f"Security Hub has no enabled security integrations in region {region}",
+                        remediation=(
+                            "Enable integrations with security findings generating products. In the Security Hub console, "
+                            "navigate to Integrations and enable relevant AWS services like GuardDuty, Inspector, Macie, etc. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securityhub enable-import-findings-for-product --product-arn [PRODUCT_ARN] --region {region}"
+                        )
+                    )
+                )
+            else:
+                # Security Hub is enabled with products
+                product_names = []
+                for product_arn in enabled_products:
+                    # Extract the product name from the ARN
+                    if '/product-subscription/' in product_arn:
+                        product_name = product_arn.split('/product-subscription/')[1]
+                        product_names.append(product_name)
+                    else:
+                        product_names.append(product_arn)
+                
+                products_list = ', '.join(product_names) if product_names else "None"
+                
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="List of products that are enabled in Security Hub",
+                        actual_value=f"Security Hub has enabled security integrations in region {region}: {products_list}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return findings

sraverify/services/securityhub/checks/sra_securityhub_06.py

@@ -0,0 +1,113 @@
+"""
+SRA-SECURITYHUB-06: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_06(SecurityHubCheck):
+    """Check if Security Hub administration for the AWS Organization has a delegated administrator."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-06"
+        self.check_name = "Security Hub administration for the AWS Organization has a delegated administrator"
+        self.account_type = "management"  # This check is for the management account
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Security Hub service administration for the AWS Organization "
+            "is set to AWS Organization delegated admin account for Security Hub."
+        )
+        self.check_logic = (
+            "Check evaluates securityhub list-organization-admin-accounts and organizations list-delegated-administrators "
+            "--service-principal securityhub.amazonaws.com. Check PASS if AccountID and ID returned are the same."
+        )
+        self.resource_type = "AWS::Organizations::Account"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # This check only needs to run in one region since it's an organization-wide setting
+        region = self.regions[0] if self.regions else "us-east-1"
+        
+        # Get organization admin accounts
+        admin_accounts = self.get_organization_admin_accounts(region)
+        
+        # Get delegated administrators
+        delegated_admins = self.get_delegated_administrators(region)
+        
+        # Check if there's a match between Security Hub admin and Organizations delegated admin
+        sh_admin_id = None
+        for admin in admin_accounts:
+            if admin.get('Status') == 'ENABLED':
+                sh_admin_id = admin.get('AccountId')
+                break
+        
+        org_admin_id = None
+        for admin in delegated_admins:
+            org_admin_id = admin.get('Id')
+            break
+        
+        resource_id = f"delegated-admin/{self.account_id}"
+        
+        if not sh_admin_id or not org_admin_id:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=resource_id,
+                    checked_value=(
+                        "aws organizations list-delegated-administrators --service-principal securityhub.amazonaws.com - "
+                        "\"DelegatedAdministrators\": \"Id\": \"[ADMIN_ID]\""
+                        "aws securityhub list-organization-admin-accounts - \"AdminAccounts\": \"AccountId\": \"[ADMIN_ID]\""
+                    ),
+                    actual_value=f"No Security Hub admin account or Organizations delegated admin found",
+                    remediation=(
+                        "Configure a Security Hub delegated administrator account. In the management account, "
+                        "use the AWS CLI command: "
+                        f"aws securityhub enable-organization-admin-account --admin-account-id [AUDIT_ACCOUNT_ID] --region {region}"
+                    )
+                )
+            )
+        elif sh_admin_id != org_admin_id:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=resource_id,
+                    checked_value=(
+                        "aws organizations list-delegated-administrators --service-principal securityhub.amazonaws.com - "
+                        "\"DelegatedAdministrators\": \"Id\": \"[ADMIN_ID]\""
+                        "aws securityhub list-organization-admin-accounts - \"AdminAccounts\": \"AccountId\": \"[ADMIN_ID]\""
+                    ),
+                    actual_value=f"Organizations delegated admin for securityhub {org_admin_id} is different than the Security Hub Admin account {sh_admin_id}",
+                    remediation=(
+                        "Ensure the same account is used as both the Security Hub admin and the Organizations delegated admin. "
+                        "First, remove the current delegated admin using: "
+                        f"aws organizations deregister-delegated-administrator --account-id {org_admin_id} --service-principal securityhub.amazonaws.com"
+                        "Then, set the Security Hub admin account as the delegated admin: "
+                        f"aws organizations register-delegated-administrator --account-id {sh_admin_id} --service-principal securityhub.amazonaws.com"
+                    )
+                )
+            )
+        else:
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=resource_id,
+                    checked_value="Security Hub delegated administrator matches organization admin account",
+                    actual_value=f"Delegated admin account {org_admin_id} matches Security Hub admin account {sh_admin_id}",
+                    remediation="No remediation needed"
+                )
+            )
+        
+        return findings

sraverify/services/securityhub/checks/sra_securityhub_07.py

@@ -0,0 +1,121 @@
+"""
+SRA-SECURITYHUB-07: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_07(SecurityHubCheck):
+    """Check if Security Hub delegated admin account is the audit account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-07"
+        self.check_name = "Security Hub delegated admin account is the audit account"
+        self.account_type = "management"  # This check is for the management account
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Security Hub delegated admin account is the audit account of your AWS organization. "
+            "Audit account is dedicated to operating security services, monitoring AWS accounts, and automating security alerting and response. "
+            "AWS Security Hub provides a comprehensive view of the security state in AWS and helps assess AWS environment against "
+            "security industry standards and best practices."
+        )
+        self.check_logic = (
+            "Check evaluates value from organizations list-delegated-administrators --service-principal securityhub.amazonaws.com "
+            "to ensure DelegatedAdministrators ID matches audit account ID passed via flag."
+        )
+        self._audit_accounts = []  # Will be populated from command line args
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get delegated administrators for Security Hub
+            delegated_admins = self.get_delegated_administrators(region)
+            
+            resource_id = f"delegated-admin/{self.account_id}"
+            
+            # If no audit accounts are provided, we can't perform the check
+            if not self._audit_accounts:
+                findings.append(
+                    self.create_finding(
+                        status="ERROR",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="Delegated administrator is audit account",
+                        actual_value="No audit account ID provided for comparison",
+                        remediation="Provide an audit account ID using the --audit-account flag"
+                    )
+                )
+                continue
+            
+            # Use the first audit account in the list
+            audit_account_id = self._audit_accounts[0]
+            
+            # Check if there are any delegated administrators
+            if not delegated_admins:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value=f"Delegated administrator is audit account {audit_account_id}",
+                        actual_value=f"No Security Hub delegated administrator found in region {region}",
+                        remediation=(
+                            f"Register the audit account {audit_account_id} as the Security Hub delegated administrator. "
+                            f"In the AWS Console, navigate to Security Hub in the management account, go to Settings > General, "
+                            f"and set the delegated administrator. Alternatively, use the AWS CLI command: "
+                            f"aws organizations register-delegated-administrator --account-id {audit_account_id} "
+                            f"--service-principal securityhub.amazonaws.com --region {region}"
+                        )
+                    )
+                )
+                continue
+            
+            # Check if the delegated administrator is the audit account
+            delegated_admin_id = None
+            for admin in delegated_admins:
+                delegated_admin_id = admin.get('Id')
+                if delegated_admin_id == audit_account_id:
+                    findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value=f"Delegated administrator is audit account {audit_account_id}",
+                            actual_value=f"Security Hub delegated administrator is the audit account {audit_account_id}",
+                            remediation="No remediation needed"
+                        )
+                    )
+                    break
+            else:
+                # If we didn't break out of the loop, the delegated admin is not the audit account
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value=f"Delegated administrator is audit account {audit_account_id}",
+                        actual_value=f"Security Hub delegated administrator {delegated_admin_id} is not the audit account {audit_account_id}",
+                        remediation=(
+                            f"Update the Security Hub delegated administrator to be the audit account {audit_account_id}. "
+                            f"First, deregister the current delegated administrator using: "
+                            f"aws organizations deregister-delegated-administrator --account-id {delegated_admin_id} "
+                            f"--service-principal securityhub.amazonaws.com --region {region}\n"
+                            f"Then, register the audit account as the delegated administrator using: "
+                            f"aws organizations register-delegated-administrator --account-id {audit_account_id} "
+                            f"--service-principal securityhub.amazonaws.com --region {region}"
+                        )
+                    )
+                )
+        
+        return findings