AWS Safety Hub offers a complete view of your safety posture in Amazon Net Companies (AWS) and helps you verify your atmosphere towards safety requirements and greatest practices. On this submit, I present you an answer to export Safety Hub findings to a .csv file weekly and ship an e mail notification to obtain the file from Amazon Easy Storage Service (Amazon S3). Through the use of this answer, you’ll be able to share the report with others with out offering entry to your AWS account. You can even use it to generate evaluation stories and prioritize and construct a remediation roadmap.
While you allow Safety Hub, it collects and consolidates findings from AWS safety providers that you just’re utilizing, similar to risk detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket coverage findings from Amazon Macie, publicly accessible and cross-account sources from AWS Id and Entry Administration Entry Analyzer, and sources lacking AWS WAF protection from AWS Firewall Supervisor. Safety Hub additionally consolidates findings from built-in AWS Associate Community (APN) safety options.
Cloud safety processes can differ from conventional on-premises safety in that safety is commonly decentralized within the cloud. With conventional on-premises safety operations, safety alerts are sometimes routed to centralized safety groups working out of safety operations facilities (SOCs). With cloud safety operations, it’s usually the applying builders or DevOps engineers who’re greatest located to triage, examine, and remediate safety alerts.
This answer makes use of the Safety Hub API, AWS Lambda, Amazon S3, and Amazon Easy Notification Service (Amazon SNS). Findings are aggregated right into a .csv file to assist establish widespread safety points that may require remediation motion.
This answer assumes that Safety Hub is enabled in your AWS account. If it isn’t enabled, arrange the service to be able to begin seeing a complete view of safety findings throughout your AWS accounts.
How the answer works
An Amazon EventBridge time-based occasion invokes a Lambda perform for processing.
The Lambda perform will get discovering outcomes from the Safety Hub API and writes them right into a .csv file.
The API uploads the file into Amazon S3 and generates a presigned URL with a 24-hour period, or the period of the non permanent credential utilized in Lambda, whichever ends first.
Amazon SNS sends an e mail notification to the tackle offered throughout deployment. This e mail tackle may be up to date afterwards by the Amazon SNS console.
The e-mail features a hyperlink to obtain the file.
Fields included within the report:
Word: You possibly can prolong the report by modifying the Lambda perform so as to add fields as wanted.
The answer supplied with this weblog submit consists of an AWS CloudFormation template named security-hub-full-report-email.json that deploys the next sources:
An Amazon SNS subject named SecurityHubRecurringFullReport and an e mail subscription to the subject.
The e-mail tackle that subscribes to the subject is captured by a CloudFormation template enter parameter. The subscriber is notified by e mail to substantiate the subscription. After affirmation, the subscription to the SNS subject is created. Extra subscriptions may be added as wanted to incorporate further emails or distribution lists.
The SendSecurityHubFullReportEmail Lambda perform queries the Safety Hub API to get findings right into a .csv file that’s written to Amazon S3. A pre-authenticated hyperlink to the file is generated and sends the e-mail message to the SNS subject described above.
An IAM function for the Lambda perform to have the ability to create logs in CloudWatch, get findings from Safety Hub, publish messages to SNS, and put objects into an S3 bucket.
An EventBridge rule that runs on a schedule named SecurityHubFullReportEmailSchedule used to invoke the Lambda perform that generates the findings report. The default schedule is each Monday at 8:00 AM UTC. This schedule may be overwritten through the use of a CloudFormation enter parameter. Study extra about creating cron expressions.
Deploy the answer
Use the next steps to deploy this answer in a single AWS account. In case you have a Safety Hub administrator account or are utilizing Safety Hub cross-Area aggregation, the report will get the findings from the linked AWS accounts and Areas.
To deploy the answer
Obtain the CloudFormation template security-hub-full-report-email.json from our GitHub repository.
Copy the template to an S3 bucket inside your goal AWS account and Area. Copy the thing URL for the CloudFormation template .json file.
On the AWS Administration Console, go to the CloudFormation console. Select Create Stack and choose With new sources.
Beneath Specify template, within the Amazon S3 URL textbox, enter the S3 object URL for the .json file that you just uploaded in step 1.
Select Subsequent. On the following web page, do the next:
Stack title: Enter a reputation for the stack.
E mail tackle: Enter the e-mail tackle of the subscriber to the Safety Hub findings e mail.
RecurringScheduleCron: Enter the cron expression for scheduling the Safety Hub findings e mail. The default is each Monday at 8:00 AM UTC. Study extra about creating cron expressions.
SecurityHubRegion: Enter the Area the place Safety Hub is aggregating the findings.
Preserve all defaults within the screens that comply with and select Subsequent.
Examine the field I acknowledge that AWS CloudFormation would possibly create IAM sources, after which select Create stack.
Check the answer
You possibly can ship a check e mail after the deployment is full. To do that, open the Lambda console and find the SendSecurityHubFullReportEmail Lambda perform. Carry out a guide invocation with an occasion payload to obtain an e mail inside a couple of minutes. You possibly can repeat this process as many occasions as you need.
On this submit I’ve proven you an strategy for quickly constructing an answer for sending weekly findings report of the safety posture of your AWS account as evaluated by Safety Hub. This answer lets you be diligent in reviewing excellent findings and to remediate findings in a well timed manner primarily based on their severity. You possibly can prolong the answer in some ways, together with:
Ship a file to an email-enabled ticketing service, similar to ServiceNow or one other safety info and occasion administration (SIEM) that you just use.
Add hyperlinks to inner wikis for workflows similar to organizational exceptions to vulnerabilities or different inner processes.
Prolong the answer by modifying the filters, e mail content material, and supply frequency.
To study extra about the way to arrange and customise Safety Hub, see these further weblog posts.
In case you have suggestions about this submit, submit feedback within the Feedback part under. In case you have any questions on this submit, begin a thread on the AWS Safety Hub re:Submit discussion board.
Need extra AWS Safety information? Observe us on Twitter.