Security Hub Alerts using EventBridge, Security Hub Remediations using CloudFormation

Overview:

1. Set up to automatically get alerts on new findings in Security Hub using EventBridge.
2. Set up to manually trigger an alert on an available finding to a specific User/Team using EventBridge.
3. Set up to remediate CIS AWS Foundations Benchmark 1.1, 3.1 to 3.14 using CloudFormation.
4. Set up to automatically address security threats with predefined response and remediation actions in AWS Security Hub.

1. Set up to automatically get alerts on new findings in Security Hub using EventBridge

Architecture:

Architecture to automatically alert on every new finding in Security Hub using EventBridge Rule

Steps:

• Go to EventBridge -> Create Rule -> Event Pattern -> Fill AWS Service — Security Hub, Event Type — Secure Hub Finding-Import
• Click Edit Pattern and paste the following pattern

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "Compliance": {
        "Status": ["FAILED"]
      },
      "RecordState": ["ACTIVE"],
      "Severity": {
        "Label": ["HIGH", "CRITICAL"]
      },
      "Workflow": {
        "Status": ["NEW", "NOTIFIED"]
      }
    }
  }
}

• Update Target to SNS
• Additional Setting -> Input Transform -> Configure Input Transformer
• Paste in Input Path

{
  "resourceARN": "$.detail.findings[0].Resources[0].Id",
  "region": "$.detail.findings[0].Resources[0].Region",
  "account": "$.detail.findings[0].AwsAccountId",
  "findingTime": "$.detail.findings[0].UpdatedAt",
  "finding": "$.detail.findings[0].Types[0]",
  "findingDescription": "$.detail.findings[0].Description",
  "remediationURL": "$.detail.findings[0].Remediation.Recommendation.Url",
  "findingTitle": "$.detail.findings[0].Title",
  "findingId": "$.resources[0]"
}

• Paste in Input template

"AWS SecurityHub finding on <resourceARN> in <region> for Account: <account> at <findingTime>. The finding is \"<finding>\" and the description of the finding is \"<findingDescription>\". For remediation steps go through <remediationURL>. Finding ID: <findingId>."

2. Set up to manually trigger an alert on an available finding to a specific User/Team using EventBridge

Architecture:

Architecture to send an alert of an available Security Hub finding on a manual trigger with EventBridge Rule

Steps:

• Go to EventBridge -> Create Rule -> Event Pattern -> Fill AWS Service — Security Hub, Event Type — Secure Hub Finding-Custom Action -> Select Specific custom action arn and paste the above created ARN
• Update Target to SNS
• Additional Setting -> Input Transform -> Configure Input Transformer
• Paste in Input Path

{
  "resourceARN": "$.detail.findings[0].Resources[0].Id",
  "region": "$.detail.findings[0].Resources[0].Region",
  "account": "$.detail.findings[0].AwsAccountId",
  "findingTime": "$.detail.findings[0].UpdatedAt",
  "finding": "$.detail.findings[0].Types[0]",
  "findingDescription": "$.detail.findings[0].Description",
  "remediationURL": "$.detail.findings[0].Remediation.Recommendation.Url",
  "findingTitle": "$.detail.findings[0].Title"
}

• Paste in Input template

"AWS SecurityHub finding on <resourceARN> in <region> for Account: <account> at <findingTime>. The finding is \"<finding>\" and the description of the finding is \"<findingDescription>\". For remediation steps go through <remediationURL>."

3. Setup to remediate CIS AWS Foundations Benchmark 1.1, 3.1 to 3.14 using CloudFormation.

Architecture:

Architecture to remediate CIS AWS Foundations Benchmarks 1.1, 3.1 to 3.14 in Security Hub

Steps:

• Execute the following CloudFormation template to remediate CIS AWS Foundations Benchmarks 1.1, 3.1 to 3.14 in Security Hub.

• Update SNS Arn, CloudTrail’s CloudWatch Log Group Name, Metric NameSpace values in parameters.

4. Set up to automatically address security threats with predefined response and remediation actions in AWS Security Hub.

Architecture:

Architecture to Set up AWS Security Hub Automated Response and Remediation

Steps:

1. aws-sharr-deploy.template (download and deploy this CloudFormation template in Security Hub Admin account)
   • Enter parameters LoadAFSBPAdminStack-yes, LoadCIS120AdminStack-yes, LoadPCI321AdminStack-no, ReuseOrchestratorLogGroup-no
   • What it does? — It creates a Seucrity Hub Custom Action, EventBridge Rule for each security threat which triggers a step function.
2. aws-sharr-member.template (after above, download and deploy this CloudFormation template in all accounts including Security Hub admin account)
   • Enter parameters CreateS3BucketForRedshiftAuditLogging-no, LoadAFSBPMemberStack-yes, LoadCIS120MemberStack-yes, LoadPCI321MemberStack-no, LogGroupName-log group name in the respective member account, SecHubAdminAccount — Security Hub Admin Account ID (12 digits)
   • What it does? — It creates SSM Documents in member account to remediate security threats.
3. aws-sharr-member-roles.template (after 1st stack(in Security Hub Admin account) is done, download and deploy this CloudFormation template in all accounts including Security Hub Admin account)
   Enter parameters SecHubAdminAccount — Security Hub Admin Account ID (12 digits)
   • What it does? — It creates roles in member account which can be assumed by a role in Security Hub Admin account to execute the SSM Documents created from previous stack.

Lets Connect via LinkedIn — https://linkedin.com/in/hari-kiran-vusirikala/

Hari Kiran Vusirikala — Full Stack Developer, Cloud Architect — Infosys | LinkedIn