Generating Custom AWS Security Hub Findings With Notification

Generating custom AWS Security Hub findings with it's notifications
Yogita Surve_avatar
Yogita Surve
Feb 01, 2022 | 3 min read

Amazon Web Services (AWS) Security Hub Is A Service Offered By Aws To Have A Detailed Overview Towards The Other Services From A Security Perspective. It Gives Us An Overview Of The Aws Resources That Are Compliant And Non-Compliant Based On Aws Security Best Practices. It Also Provides Predefined Benchmark Security Controls, Which Works For Most Of The Cases. However, Based On Your Organizational Needs, You Might Want To Generate And Manage Some Custom Findings In The Security Hub.

This blog demonstrates ways of generating and managing custom security findings in AWS Security Hub. Along with this, we will also set up a notification framework for such findings to get alerts.

Generating A Custom Finding In Security Hub For Single AWS Account

This section will give you a brief overview of how to generate a custom Security Hub finding in a single AWS account.

approach-for-single-account

Step 1: Create An AWS EventBridge Rule

Create an AWS EventBridge rule that triggers the Lambda function to import events specific to custom Security Hub findings. As a source of the Eventbridge rule, specify the source pattern of an event. In the following example, we specify the source pattern of an event that gets triggered when an EC2 instance is running.

{
  "source": [ "aws.ec2" ],
  "detail-type": [ "EC2 Instance State-change Notification" ],
  "detail": {
    "state": [ "running" ]
  }
}

Step 2: Create An AWS Lambda Function

To import a custom Security Hub finding, you need to create a lambda function that will send the finding to Security Hub.

To import custom Security Hub findings, we can use the below code:

boto3.client('securityhub').batch_import_findings(Findings=<Your_event_Json>)

Now we have the custom Security Hub finding in our Security Hub findings dashboard.

Generating A Custom Finding In Security Hub For Multi-Account Environment

This section will give you a brief overview of how to generate a custom Security Hub finding in multiple AWS accounts i.e AWS organization. Under AWS organization, you can have separate AWS accounts for various workloads. You have to set one of the accounts as delegated administrator for Security Hub in your organization. Security Hub aggregates the findings from all accounts in the delegated admin account which makes it easier to analyze and remediate.

Execution steps will be the same as above and need to be repeated for every account in the multi-account environment.

Note: You can sequentially / parallelly deploy the event rules and lambda function using CloudFormation Stack set in multiple accounts as well as regions.

approach-for-multi-account

Setting Notifications For The Findings In AWS Security Hub (Optional)

notification-setup

Step 1: Create an AWS EventBridge rule to notify whenever a new finding is generated. As a source of the EventBridge rule, specify the source pattern of the custom finding that we had generated.

Step 2: Set the target for the AWS EventBridge rule as messaging options provided by AWS like SNS/ SQS/ SES.

Concluding Thoughts

In this blog, we explored a way to generate custom AWS Security Hub Findings for single account as well as multi-account environments. For sample code, you can refer to this GitHub repository. I hope this will help you maintain the security posture of your AWS infrastructure in a good way. Thank you for reading and have a great day ahead!