AWS Security Hub

Follow

Security Hub is a service by AWS that provides a view of security alerts and findings across your AWS accounts. cloudtamer.io supports sending and receiving findings via AWS Security Hub. In cloudtamer.io, you can create compliance checks using native Cloud Custodian policies that interact with Security Hub in each of your AWS accounts.

There are a few ways to integrate cloudtamer.io with Security Hub:

  • Post and update findings on any resource type to Security Hub (action: post-finding).
  • Query with filtering of resources based on findings (filter: finding).
  • Create a lambda (lambda execution mode) that triggers on ingestion of Security Hub findings (mode: hub-finding).
  • Create a lambda (lambda execution mode) that can be triggered manually by a Custom Action that it creates in the Security Hub UI. These Custom Actions work with both findings and insights (mode: hub-action).

Follow the "Initial Setup" and "Implementation" steps below to implement any of these methods. Use the policy text from the method that best fits your needs.

 

Initial Setup

To post findings, you will need to enable AWS Security Hub and two Security Hub integrations (called cloudtamer.io/cloudtamer.io and Cloud Custodian/Cloud Custodian) in each of your AWS accounts in the regions you want to use. If you previously used only the Cloud Custodian/Cloud Custodian integration, you will now need to enable the cloudtamer.io/cloudtamer.io option when using cloudtamer.io v2.2X or higher.

 

Implementation

To implement any of the methods below, perform the following actions in cloudtamer.io:

  1. Copy the policy text from the method below that best fits your needs. Paste it into the Compliance Check Policy field when adding a new compliance check in cloudtamer.io.
  2. Attach the compliance check by adding it to a compliance standard.
  3. Attach the compliance standard by adding it to a cloud rule.
  4. Attach the cloud rule to a project or an OU by managing the cloud rules on a project or on an OU.

The policy will then run on a scheduled basis, with the results described below.

 

Method: post-finding

This policy will send a new finding to both cloudtamer.io and AWS Security Hub when it's detected.

Here is the policy that can be added as a compliance check in cloudtamer.io:

---
policies:
  - name: account-shield-enabled
    resource: account
    filters:
      - shield-enabled
    actions:
      - type: post-finding
        description: |
          Shield should be enabled on account to allow for DDOS protection (1 time 3k USD Charge).
        severity_normalized: 6
        types:
          - "Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)"
        recommendation: "Enable shield"
        recommendation_url: "https://www.example.com/policies/AntiDDoS.html"
        confidence: 100
        compliance_status: FAILED
      - type: webhook
        url: '{{CT::CallbackURL}}'
        method: POST
        batch: true
        headers:
          Authorization: '`{{CT::Authorization}}`'
        body: |-
          {
              "compliance_check_id": `{{CT::CheckId}}`,
              "account_number": account_id,
              "region": region,
              "scan_started_at": execution_start,
              "findings": resources[].{resource_name: account_id, resource_type: `account`}
          }

 

Method: finding

This policy will query findings from AWS Security Hub (instead of the resources themselves) and then perform an action.

Here is the policy that can be added as a compliance check in cloudtamer.io:

---
policies:
  - name: account-get-finding
    resource: account
    filters:
      - type: finding
        query:
          RecordState:
            - Comparison: EQUALS
              Value: ACTIVE
        region: "us-east-1"
    actions:
      - type: webhook
        url: '{{CT::CallbackURL}}'
        method: POST
        batch: true
        headers:
          Authorization: "`{{CT::Authorization}}`"
        body: >
          {
              "compliance_check_id": `{{CT::CheckId}}`,
              "account_number": account_id,
              "region": region,
              "scan_started_at": execution_start,
              "findings": resources[].{resource_name: account_id, resource_type: `account`, data_json: {description: 'This is a test.'}}
          }

 

Method: hub-finding

This policy will set up a Lambda that listens off of an EventBridge rule and triggers when a new finding appears in Security Hub. This policy will set up the EventBridge rule and Lambda, but you need to also create a Lambda service role. There is a CloudFormation template below that you can add to cloudtamer.io and then associate with the same cloud rule so the role is created where you need it.

When this policy runs, it will set up a Lambda with an EventBridge rule for detail-type:

  • Security Hub Findings - Imported

Here is the policy that can be added as a compliance check in cloudtamer.io:

---
policies:
  - name: hubfind
    resource: aws.security-group
    mode:
      type: hub-finding
      role: cloudcustodian-lambda-role
    filters:
      - type: finding
        query:
          RecordState:
            - Comparison: EQUALS
              Value: ACTIVE
        region: us-east-1
actions: - type: tag key: ComplianceCheck value: needs-remove

This is the CloudFormation template you can modify to create a Lambda role:

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Creates an IAM role for Cloud Custodian Lambda execution.",
    "Resources": {
        "LambdaRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "cloudcustodian-lambda-role",
                "Path": "/",
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
                    "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
                ],
                "Policies": [],
                "AssumeRolePolicyDocument": {
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": [
                                    "lambda.amazonaws.com"
                                ]
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                }
            }
        }
    }
}

 

Method: hub-action 

This policy will set up a Lambda that can be triggered manually by a user on findings and insights in the Security Hub interface. The custom action is available in a drop-down menu. When this policy runs, it will set up a Lambda with an EventBridge rule for detail-type:

  • Security Hub Findings - Custom Action
  • Security Hub Insight Results

Here is the policy that can be added as a compliance check in cloudtamer.io:

---
policies:
  - name: sgtag
    resource: aws.security-group
    mode:
      type: hub-action
      role: cloudcustodian-lambda-role
    description: |
      Close security groups open to the world
    filters:
      - or:
          - type: ingress
            Cidr:
              value: 0.0.0.0/0
          - type: ingress
            CidrV6:
              value: ::/0
    actions:
      - type: remove-permissions
        ingress: matched

You will also need to use the same Lambda CloudFormation template above to create the role that is necessary for the Lambda function to execute properly.

 

Reference

You can read more about the Security Hub events types here:

The Cloud Custodian documentation is available here:

Was this article helpful?
0 out of 0 found this helpful