Amazon Inspector integration with AWS Security Hub - Amazon Inspector

Amazon Inspector integration with AWS Security Hub

Security Hub provides a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and additional supported products. You can use the information it provides to analyze your security trends and identify the highest priority security issues.

Amazon Inspector integration with Security Hub allows you to send findings from Amazon Inspector to Security Hub. Security Hub can then include those findings in its analysis of your security posture.

In AWS Security Hub, security issues are tracked as findings. Some findings result from issues that are detected by other AWS services or by third-party products. Security Hub also has a set of rules that it uses to detect security issues and generate findings. Security Hub provides tools to manage findings from across all of these sources. You can view and filter lists of findings and view finding details. For more information about findings in Security Hub, see Viewing findings in the AWS Security Hub User Guide. You can also track the status of an investigation into a finding. See Taking action on findings in the AWS Security Hub User Guide.

All findings in Security Hub use a standard JSON format called the AWS Security Finding Format (ASFF). The ASFF includes details about the source of the issue, the affected resources, and the current status of the finding. See AWS Security Finding Format (ASFF) in the AWS Security Hub User Guide.

Security Hub will archive Amazon Inspector findings once those findings have been addressed and closed in Amazon Inspector.

Viewing Amazon Inspector findings in AWS Security Hub

The findings from Amazon Inspector Classic and the new Amazon Inspector are available in the same panel in Security Hub. However, you can filter findings from the new Amazon Inspector by adding a "aws/inspector/ProductVersion": "2" to the filter bar. Adding this filter excludes findings from Amazon Inspector Classic from the Security Hub dashboard.

Example finding from Amazon Inspector

{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:inspector:us-east-1:123456789012:finding/FINDING_ID", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector", "ProductName": "Inspector", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "AWSInspector", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ], "FirstObservedAt": "2021-09-02T19:01:56.725Z", "LastObservedAt": "2021-10-13T05:43:34.982Z", "CreatedAt": "2021-09-02T19:01:56.725Z", "UpdatedAt": "2021-10-13T05:43:34.982Z", "Severity": { "Label": "HIGH", "Normalized": 70 }, "Title": "CVE-2019-19882 - passwd, login", "Description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", "Remediation": { "Recommendation": { "Text": "Update all packages in the vulnerable packages section to their latest versions." } }, "ProductFields": { "aws/inspector/score": "7.8", "aws/inspector/FindingStatus": "ACTIVE", "aws/inspector/ProductVersion": "2", "aws/inspector/scoreDetails/scoringVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "aws/inspector/scoreDetails/version": "3.1", "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/1/sourceLayerHash": "sha256:EXAMPLE_HASH", "aws/inspector/scoreDetails/score": "7.8", "aws/inspector/scoreDetails/scoreSource": "NVD", "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/2/sourceLayerHash": "sha256:EXAMPLE_HASH", "aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "DEBIAN_10", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/inspector/arn:aws:inspector:us-east-1:123456789012:finding/FINDING_ID", "aws/securityhub/ProductName": "Inspector", "aws/securityhub/CompanyName": "Amazon" }, "Resources": [ { "Type": "AwsEcrContainerImage", "Id": "123456789012/account-test/sha256:EXAMPLE_HASH", "Partition": "aws", "Region": "us-east-1", "Details": { "AwsEcrContainerImage": { "RegistryId": "123456789012", "RepositoryName": "account-test", "Architecture": "amd64", "ImageDigest": "sha256:EXAMPLE_HASH", "ImageTags": [ "latest" ], "ImagePublishedAt": "2021-09-02T19:01:48Z" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "Vulnerabilities": [ { "Id": "CVE-2019-19882", "VulnerablePackages": [ { "Name": "passwd", "Version": "4.5", "Epoch": "1", "Release": "1.1", "Architecture": "AMD64" }, { "Name": "login", "Version": "4.5", "Epoch": "1", "Release": "1.1", "Architecture": "AMD64" } ], "Cvss": [ { "Version": "2.0", "BaseScore": 6.9, "BaseVector": "AV:L/AC:M/Au:N/C:C/I:C/A:C" }, { "Version": "3.1", "BaseScore": 7.8, "BaseVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "Vendor": { "Name": "NVD", "Url": "", "VendorSeverity": "HIGH", "VendorCreatedAt": "2019-12-18T16:15:00Z", "VendorUpdatedAt": "2020-08-25T15:15:00Z" }, "ReferenceUrls": [ "", "", "" ] } ], "FindingProviderFields": { "Severity": { "Label": "HIGH" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] } }

Activating and configuring the integration

To use the Amazon Inspector integration with AWS Security Hub, you must activate Security Hub. For information on how to activate Security Hub, see Setting up Security Hub in the AWS Security Hub User Guide.

When you activate both Amazon Inspector and Security Hub, the integration is activated automatically, and Amazon Inspector begins to send findings to Security Hub. Amazon Inspector sends all of the findings it generates to Security Hub using the AWS Security Finding Format (ASFF).

Stopping the publication of findings to AWS Security Hub

How to stop sending findings

To stop sending findings to Security Hub, you can use either the Security Hub console or the API.

See Deactivating and activating the flow of findings from an integration (console) or Deactivating the flow of findings from an integration (Security Hub API, AWS CLI) in the AWS Security Hub User Guide.