AWS Security Hub
User Guide

Automating AWS Security Hub with CloudWatch Events

Important

Currently, Security Hub is in Preview release.

Amazon CloudWatch Events enables you to automate your AWS services and respond automatically to system events such as application availability issues or resource changes. Events from AWS services are delivered to CloudWatch Events in near real time. You can write simple rules to indicate which events are of interest to you, and what automated actions to take when an event matches a rule. The actions that can be automatically triggered include the following:

  • Invoking an AWS Lambda function

  • Invoking Amazon EC2 Run Command

  • Relaying the event to Amazon Kinesis Data Streams

  • Activating an AWS Step Functions state machine

  • Notifying an Amazon SNS topic or an AWS SMS queue

For more information, see the Amazon CloudWatch Events User Guide.

In the current release, you can configure Security Hub to send selected Security Hub findings and insight results to CloudWatch Events for further processing. You can do this by creating custom actions in Security Hub that you can then apply to selected findings and insights, instructing Security Hub to send this data to ticketing, chat, email, and/or remediation systems that you have in place. You then create CloudWatch Events rules that align to the IDs of the custom actions that you create in Security Hub.

Note

For specific examples of sending Security Hub findings to CloudWatch Events for further processing, see How to Integrate AWS Security Hub Custom Actions with PagerDuty and How to Enable Custom Actions in AWS Security Hub.

Creating Security Hub Custom Actions and CloudWatch Events Rules

To configure Security Hub and CloudWatch Events to send Security Hub-aggregated findings to CloudWatch Events, complete the following procedure:

  1. In the Security Hub console, on the Settings/Custom actions page, choose Create custom action. Then, in the Create custom action pop up window, specify the custom action name, description and ID. The custom action ID must be unique per AWS account.

  2. Navigate to the CloudWatch Events console and create a rule that aligns with the ID of the custom action you created in the step above. For Event source, choose Event pattern/Custom event pattern. You can then paste the following to the custom event pattern field:

    { "source": [ "aws.securityhub" ], "resources": [ "SECURITY_HUB_CUSTOM_ACTION_ARN" ] }

    Note

    Substitute SECURITY_HUB_CUSTOM_ACTION_ARN with a valid ARN of the Security Hub custom action that you created in the previous step and that you want to align with this rule.

    You can use any of the following as the target for this rule: Amazon EC2 instances, AWS Lambda functions, Kinesis streams, Amazon ECS tasks, Step Functions state machines, Amazon SNS topics, Amazon SQS queues, and built-in targets.

CloudWatch Events Formats for Security Hub

Security Hub aggregates findings from the enabled AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie), and from the supported AWS partner products. Security Hub also consolidates findings into insights that identify security areas that require attention or intervention. Security Hub also conducts automated and continuous compliance checks using AWS best practices and supported industry standards (like CIS Foundations Benchmarks).

In the current release, you can send Security Hub-aggregated findings and insight results to CloudWatch Events for further management and processing.

  • The CloudWatch event for Security Hub-aggregated findings has the following format:

    { "version": "0", "id": "CWE-event-id", "detail-type": "Security Hub Finding Notification", "source": "aws.securityhub", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-west-1", "resources": [ "action arn":"action arn" ], "detail": { "action name":"action name", "action description":"action description", "action id":"action id", "findings": [AMAZON_FINDING_JSON for each specified finding] } }

    Note

    For a complete list of parameters included in AMAZON_FINDING_JSON, see AWS Security Finding Format.

  • The CloudWatch event for Security Hub insight results has the following format:

    { "version": "0", "id": "CWE-event-id", "detail-type": "Security Hub Insight Results Notification", "source": "aws.securityhub", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-west-1", "resources": [ "action arn":"action arn" ], "detail": { "action name":"action name", "action description":"action description", "action id":"action destination", "insight arn":"insight arn", "insight name":"insight name", "result type":"GroupBy aggregation field", "number of results":"number of results, max of 100", "results": [{ "result 1":"finding count", "result 2":"finding count" }] } }

Sending Security Hub Data to CloudWatch Events

Once you've created one or more Security Hub custom actions and CloudWatch Events rules, you can send findings and insight results to CloudWatch Events for further management and processing.

  1. In the Security Hub console, navigate to the Findings page, select one or more findings that you want to send to CloudWatch Events, and then under the Actions drop-down, choose the custom action that aligns with your CloudWatch Events rule that you want to apply.

  2. Navigate to the Insights page, choose the insight whose results you want to see, choose the insight results that you want to send to CloudWatch Events, and then under the Actions drop-down, choose the custom action that aligns with your CloudWatch Events rule that you want to apply.