fbpx

How to create the recurring Security Hub overview email

AWS Security Hub offers a comprehensive view of one’s security posture in Amazon Web Providers (AWS) and can help you check out your environment against protection standards and guidelines. In this article, we’ll present you how to create weekly e-mail notifications using Safety Hub to supply account proprietors with a listing of the existing security results to prioritize, new results, and hyperlinks to the Protection Hub console to learn more.

Once you enable Security Hub, it collects and consolidates findings from AWS safety providers that you’re using, such as for example intrusion recognition findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, Amazon Simple Storage Service (Amazon S3) bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking AWS WAF insurance coverage from AWS Firewall Manager. Security Hub furthermore consolidates findings from integrated AWS Partner Network (APN) security solutions.

Cloud security processes may vary from conventional on-premises security for the reason that security is frequently decentralized inside the cloud. With conventional on-premises security operations, protection alerts are usually routed to centralized safety groups operating out of protection operations facilities (SOCs). With cloud safety operations, it’s usually the program builders or DevOps engineers that are greatest located to triage, investigate, and remediate the protection alerts. This integration of safety into DevOps procedures is known as DevSecOps, so when part of this process, centralized security teams search for additional methods to proactively engage application accounts owners inside improving the security position of AWS accounts.

This solution uses Security Hub custom insights, AWS Lambda, and the Safety Hub API. A custom made insight is really a collection of results that are aggregated by way of a grouping attribute, such as for example status or severity. Insights assist you to identify common security conditions that may need remediation action. Protection Hub includes many managed insights, or it is possible to create your personal custom insights. Amazon SNS topic clients will receive a contact, like the one shown inside Figure 1, that summarizes the full total outcomes of the Security Hub custom made insights.

Figure 1: Illustration email with a listing of safety findings for a merchant account

Figure 1: Illustration email with a listing of protection findings for an accounts

Solution overview

This solution assumes that Security Hub is enabled inside your AWS accounts. If it isn’t allowed, set up the service to enable you to start seeing a thorough view of security findings across your AWS accounts.

A recurring Safety Hub summary e-mail provides recipients with a proactive conversation that summarizes the safety posture and any latest improvements of their AWS accounts. The e-mail message provides the following sections:

Here’s the way the solution works:

  1. Seven Protection Hub custom insights are manufactured when you deploy the perfect solution is first.
  2. An Amazon CloudWatch time-based occasion invokes a Lambda functionality for processing.
  3. The Lambda function gets the full total outcomes of the custom insights from Safety Hub, formats the full total results for email, and sends a note to Amazon SNS.
  4. Amazon SNS sends the e-mail notification to the deal with you provided during deployment.
  5. The email includes the summary and hyperlinks to the Protection Hub UI so the recipient can follow the remediation workflow.

Figure 2 displays the solution workflow.

Figure 2: Solution overview, deployed through AWS CloudFormation

Number 2: Solution overview, deployed through AWS CloudFormation

Security Hub custom made insight

The finding results presented in the e-mail are summarized by Safety Hub custom insights. A Protection Hub insight is really a collection of related results. Each insight is described by a team by declaration and optional filters. The combined group by declaration indicates how to team the matching findings, and identifies the kind of product that the insight pertains to. For instance, if an insight will be grouped by reference identifier, the insight produces a summary of resource identifiers then. The optional filter systems narrow down the complementing results for the insight. For instance, you might like to see only the findings from specific findings or even providers connected with specific forms of resources. Figure 3 exhibits the seven custom made insights which are created within deploying this solution.

Figure 3: Custom insights developed by the answer

Figure 3: Custom insights developed by the solution

Sample custom insight

Security Hub presents several built-inside managed (default) insights. You can’t change or delete maintained insights. You will see the custom made insights created within this remedy in the Safety Hub console under Insights, by selecting the Custom Insights filtration system. From the e-mail, follow the hyperlink for “Summary Email – 02 – Failed AWS Foundational Protection GUIDELINES” to start to see the summarized locating counts, along with graphs with related information, as shown in Number 4.

Figure 4: Detail see of the e-mail titled “Summary Email - 02 - Unsuccessful AWS Foundational Security GUIDELINES”

Figure 4: Detail look at of the e-mail titled “Summary Email – 02 – Unsuccessful AWS Foundational Security GUIDELINES”

Let’s measure the filters that induce this custom insight:

Filter settingFilter resultsType is “Software program and Configuration Checks/Market and Regulatory Specifications/AWS-Foundational-Security-Best-Practices”Captures all current and upcoming findings developed by the security regular AWS Foundational Security GUIDELINES.Status will be FAILEDCaptures findings where in fact the compliance standing of the useful resource doesn’t pass the evaluation.Workflow Position will be not SUPPRESSEDCaptures findings where Safety Hub users haven’t up-to-date the finding to the SUPPRESSED position.Record Condition is DynamicCaptures findings that represent the most recent assessment of the source. Protection Hub archives control-based results if the associated reference is deleted automatically, the resource will not can be found, or the handle is disabled.Team by SeverityLabelCreates the insight and populates the counts.

Solution artifacts

The solution given this blog post includes two files:

  1. An AWS CloudFormation template named security-hub-email-summary-cf-template.json.
  2. A zip document named sec-hub-e-mail.zip for the Lambda functionality that generates the Safety Hub overview email.

As well as the Security Hub custom made insights as discussed in the last section, the answer also deploys the next artifacts:

  1. An Amazon Simple Notification Service (Amazon SNS) subject named SecurityHubRecurringSummary and a contact subscription to this issue.

    Figure 5: SNS topic developed by the perfect solution is

    Figure 5: SNS topic developed by the solution

    The e-mail address that subscribes to this issue is captured by way of a CloudFormation template input parameter. The subscriber will be notified by email to verify the registration, and after confirmation, the membership to the SNS topic is established.

    Figure 6: SNS email membership

    Figure 6: SNS email registration

  2. Two Lambda features:
    1. A Lambda functionality named *-CustomInsightsFunction-* is used just by the CloudFormation template to generate the custom made Insights.
    2. A Lambda functionality named SendSecurityHubSummaryEmail queries the custom made insights from the Protection Hub API and uses the insights’ information to generate the summary email information. The event sends the e-mail message to the SNS topic then.

      Figure 7: Exemplory case of Lambda functions developed by the perfect solution is

      Figure 7: Exemplory case of Lambda functions developed by the solution

  3. Two IAM roles for the Lambda functions supply the following rights, respectively:
    1. The minimum rights necessary to create insights also to create CloudWatch log groups and logs.
      
          "Version": "2012-10-17",
          "Statement": [
              
                  "Action": [
                      "logs:CreateLogGroup",
                      "logs:CreateLogStream",
                      "logs:PutLogEvents"
                  ],
                  "Resource": "arn:aws:logs:*:*:*",
                  "Effect": "Allow"
              ,
              
                  "Action": [
                      "securityhub:CreateInsight"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              
          ]
      
      
    2. The minimum rights necessary to query Security Hub insights also to send electronic mails to the SNS topic named SecurityHubRecurringSummary.
      
          "Version": "2012-10-17",
          "Statement": [
              
                  "Action": "sns:Publish",
                  "Resource": "arn:aws:sns:[REGION]:[ACCOUNT-ID]:SecurityHubRecurringSummary",
                  "Effect": "Allow"
              
          ]
       ,
      
          "Version": "2012-10-17",
          "Statement": [
              
                  "Effect": "Allow",
                  "Action": [
                      "securityhub:Get*",
                      "securityhub:List*",
                      "securityhub:Describe*"
                  ],
                  "Resource": "*"
              
          ]
                   
      
  4. A CloudWatch scheduled event named SecurityHubSummaryEmailSchedule for invoking the Lambda function that generates the summary email. Every Monday at 8:00 AM GMT the default schedule is. This schedule could be overwritten with a CloudFormation input parameter. Learn more about creating Cron expressions.

    Figure 8: Exemplory case of CloudWatch schedule developed by the perfect solution is

    Figure 8: Exemplory case of CloudWatch schedule developed by the solution

Deploy the solution

The next steps demonstrate the deployment of the solution within a AWS Region and account. Repeat these steps in each one of the AWS accounts which are active with Security Hub, so the respective application owners can have the relevant data from their accounts.

To deploy the solution

  1. Download the CloudFormation template security-hub-email-summary-cf-template.json and the .zip file sec-hub-email.zip from https://github.com/aws-samples/aws-security-hub-summary-email.
  2. Copy security-hub-email-summary-cf-template.sec-hub-email and json. zip to an S3 bucket inside your target AWS Region and account. Copy the thing URL for the CloudFormation template .json file.
  3. On the AWS Management Console, open the service CloudFormation. Choose Create Stack with new resources.

    Figure 9: Create stack with new resources

    Figure 9: Create stack with new resources

  4. Under Specify template, in the Amazon S3 URL textbox, enter the S3 object URL for the file security-hub-email-summary-cf-template.json that you uploaded in step one 1.

    Figure 10: Specify S3 URL for CloudFormation template

    Figure 10: Specify S3 URL for CloudFormation template

  5. Choose Next. On another page, under Stack name, enter a genuine name for the stack.

    Figure 11: Enter stack name

    Figure 11: Enter stack name

  6. On exactly the same page, enter values for the input parameters. They are the input parameters which are necessary for this CloudFormation template:
    1. S3 Bucket Name: The S3 bucket where in fact the .zip apply for the Lambda function (sec-hub-email.zip) is stored.
    2. S3 key name (with prefixes): The S3 key name (with prefixes) for the .zip apply for the Lambda function.
    3. Email address: The e-mail address of the subscriber to the Security Hub summary email.
    4. CloudWatch Cron Expression: The Cron expression for scheduling the Security Hub summary email. Every Monday 8:00 AM GMT the default is. Learn more about creating Cron expressions.
    5. Additional Footer Text: Text which will appear in the bottom of the e-mail message. This is beneficial to guide the recipient on next steps or provide internal resource links. That is an optional parameter; leave it blank for no text.

    Figure 12: Enter CloudFormation parameters

    Figure 12: Enter CloudFormation parameters

  7. Choose Next.
  8. Keep all defaults in the screens that follow, and choose Next.
  9. Select the check box I acknowledge that AWS CloudFormation might create IAM resources, and choose Create stack then.

Test the solution

A test could be sent by you email following the deployment is complete. To do this, demand Lambda console and locate the Lambda function named SendSecurityHubSummaryEmail. Perform manual invocation with any event payload for an email within minutes. This process could be repeated by you as much times as you want.

Conclusion

We’ve outlined a strategy for rapidly creating a solution for sending a weekly summary of the security posture of one’s AWS account as evaluated by Security Hub. This solution helps it be easier for you yourself to be diligent in reviewing any outstanding findings also to remediate findings in a timely way predicated on their severity. The perfect solution is could be extended by you in lots of ways, including:

  1. Add links in the footer text to the remediation workflows, such as for example developing a ticket for ServiceNow or any Security Information and Event Management (SIEM) that you utilize.
  2. Add links to internal wikis for workflows like organizational exceptions to vulnerabilities or other internal processes.
  3. Extend the perfect solution is by modifying the custom insights content, email content, and delivery frequency.

To learn more about how exactly to create and customize Security Hub, see these additional blog posts.

When you have feedback concerning this post, submit comments in the Comments section below. If any questions are had by you concerning this post, take up a thread on the AWS Security Hub forum.

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter.

%d bloggers like this: