fbpx

Use AWS Chatbot inside Slack to remediate safety findings from AWS Safety Hub

You can use AWS Chatbot and its integration with Slack and Amazon Chime to receive and remediate security findings from AWS Security Hub . To learn about how to configure AWS Chatbot to send findings from Security Hub to Slack, see the blog post Enabling AWS Security Hub integration with AWS Chatbot .

    <p>In this blog post, you’ll learn how to extend the solution so you can use AWS Chatbot to remediate the findings in your Slack channel. You’ll receive the findings from Security Hub and then run AWS CLI commands from your Slack channel to remediate the reported security findings.</p> 
   <p>AWS Chatbot works by acting as a subscriber to an <a href="https://aws.amazon.com/sns/" target="_blank" rel="noopener noreferrer">Amazon Simple Notification Service (Amazon SNS)</a> topic that can receive notifications from either <a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener noreferrer">Amazon CloudWatch</a> or <a href="https://aws.amazon.com/eventbridge/" target="_blank" rel="noopener noreferrer">Amazon EventBridge</a>, and have them delivered to the configured Slack Amazon or channels Chime chat rooms. You can apply standard <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener noreferrer">AWS Identity and Access Management (IAM)</a> permissions to the Slack Amazon or channel Chime chatroom, and you can also associate some channel guardrails to provide granular control on what commands can be run from the channel. For example, you may want to allow running commands that would allow getting more details on findings reported from Security Hub, and archiving and remediating those findings, but use <a href="https://docs.aws.amazon.com/chatbot/latest/adminguide/security-iam.html#channel-guardrails" target="_blank" rel="noopener noreferrer">channel guardrails</a> to prevent anyone from disabling Security Hub. Another example is that you may want to allow the channel members to query <a href="https://aws.amazon.com/cloudtrail/" target="_blank" rel="noopener noreferrer">AWS CloudTrail</a> logs in order to get more details on findings, but you use channel guardrails to prevent them from disabling AWS CloudTrail or changing the destination <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener noreferrer">Amazon Simple Storage Services (Amazon S3)</a> bucket. </p> 
   <h2>Overview of ChatSecOps and ChatOps concepts</h2> 
   <p><em>ChatOps</em>, known as &lt also;em>Chat Operations</em>, refers to using chatbots, tools, and clients to communicate, notify, assign, and launch operational issues and tasks. You can use your existing Slack channels and Amazon Chime chatrooms to receive alerts and notifications about operational issues or tasks, and you can also respond to those tasks or incidents in real time from the same chat room. <em>SecOps</em> is a philosophy of encouraging collaboration between the Security and ITOps teams of an organization. <em>ChatSecOps</em>, also known as <em>Chat Security Operations</em>, uses the ChatOps technology to enable customers to put SecOps in practice.</p> 
   <p>ChatSecOps facilitates this collaboration by allowing security-related notifications to be delivered to common chat rooms used by SecOps teams, providing visibility on the presssing issues and actions that are taken to investigate and remediate the reported issues. SecOps teams can share threat analysis reports, compliance finding reports, and information on security vulnerabilities in these channels and work with &lt closely;a href="https://aws.amazon.com/devops/what-is-devops/" target="_blank" rel="noopener noreferrer">DevOps</a> teams to perform further analysis, investigation, and remediation of the presssing issues and findings. This helps to ensure collaboration and visibility across the SecOps and DevOps teams and promotes the philosophy of <a href="https://aws.amazon.com/blogs/apn/aws-devops-competency-expands-to-include-devsecops-category/" target="_blank" rel="noopener noreferrer">DevSecOps</a>.</p> 
   <h2>Prerequisites</h2> 
   <p>To get started, you’ll need the following prerequisites:</p> 

   <h2>Set up Slack permissions</h2> 
   <p>You need to grant permissions to the users in Slack channels, which you can do in one of the following ways:</p> 
   <ul> 
    <li><strong>Associate a channel IAM role with AWS Chatbot</strong>. This method provides similar permissions to all the known members of the Slack channel. A channel IAM role is more useful if all your channel members require the same set of permissions. The channel IAM role can also be used to restrict the permissions provided by the user IAM role.</li> 
    <li><strong>Define user roles</strong>. User roles require channel members to choose their own roles. This allows different users in your channel to have different sets of permissions. User roles are also useful when you don’t want new channel members to perform actions as soon as they join the channel. </li> 
   </ul> 
   <p>For detailed instructions about setting up AWS Chatbot and defining permissions, see <a href="https://docs.aws.amazon.com/chatbot/latest/adminguide/getting-started.html" target="_blank" rel="noopener noreferrer">Getting started with AWS Chatbot</a>. For more information about setting boundaries on the permissions that can be allowed by the channel and user IAM roles, see <a href="https://docs.aws.amazon.com/chatbot/latest/adminguide/security-iam.html#channel-guardrails" target="_blank" rel="noopener noreferrer">Channel guardrails</a>.</p> 
   <h2>Integrate the Slack channel with AWS Chatbot</h2> 
   <p>After you set up the Slack channel with required permissions, you integrate the <strong>ChatOps for AWS</strong> app with your channel by using the following steps.</p> 
   <p><strong>To integrate the Slack channel with AWS Chatbot</strong></p> 
   <ol> 
    <li>Log in to Slack by using either the Slack web or app browser.</li> 
    <li>In the Slack sidebar, from the <strong>Channels</strong> section, choose the channel name.</li> 
    <li>In the right pane, choose the channel name to open the channel configuration window.</li> 
    <li>Choose the <strong>Integrations</strong> tab, choose &lt then;strong>Add an App</strong>.</li> 
    <li>In the search bar, enter <span>AWS Chatbot</span>. In the search results list, choose the <strong>Add</strong> button for <strong>AWS Chatbot</strong>.</li> 
    <li>On the <strong>Integrations</strong> tab, under <strong>Apps</strong>, you should see <strong>ChatOps for AWS</strong>, as shown in Figure 1. 
     <div id="attachment_26574" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-26574" src="https://www.infracom.com.sg/wp-content/uploads/2022/07/img1.png" alt="Figure 1: Integrate the ChatOps for AWS app with your Slack channel" width="567" height="623" class="size-full wp-image-26574"> 
      <p id="caption-attachment-26574" class="wp-caption-text">Figure 1: Integrate the ChatOps for AWS app with your Slack channel</p> 
     </div> </li> 
   </ol> 
   <p>The step-by-step process for integrating a Slack channel with AWS Chatbot is described in more detail in the blog post <a href="https://aws.amazon.com/blogs/security/enabling-aws-security-hub-integration-with-aws-chatbot/" target="_blank" rel="noopener noreferrer">Enabling AWS Security Hub integration with AWS Chatbot</a>.</p> 
   <p>You’re ready to start running the commands now. Note that you need to add @aws before writing any commands. For more information , see <a href="https://docs.aws.amazon.com/chatbot/latest/adminguide/chatbot-cli-commands.html" target="_blank" rel="noopener noreferrer">Running CLI commands from Slack channels&lt AWS;/a>.</p> 
   <h2>Use case: Amazon S3 Block Public Access enabled at the account level</h2> 
   <p>The <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html" target="_blank" rel="noopener noreferrer">Amazon S3 Block Public Access</a> feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. With S3 Block Public Access, account bucket and administrators owners can set up centralized controls to limit public access to your S3 resources. These controls are enforced of how the resources are created regardless.</p> 
   <p><a href="https://aws.amazon.com/guardduty/" target="_blank" rel="noopener noreferrer">Amazon GuardDuty</a> reports and tracks S3 Block Public Access feature configurations at the account level, as well as the bucket level. These findings are sent to Security Hub automatically.</p> 
   <p>For the purpose of this walkthrough, consider the following use case: <a id="_Hlk106110453" target="_blank" rel="noopener noreferrer">your organization has compliance requirements to disable public access to all the S3 buckets at the account level. You do not want to allow individual bucket owners to configure this access policy. You get a notification that the S3 Block Public Access feature is disabled at the account level for a specific account. This walkthrough shows how you can run AWS CLI commands from the Slack channel to investigate and remediate this issue.</a></p> 
   <p><strong>To remediate finding for Amazon S3 Block Public Access from the Slack channel</strong></p> 
   <ol> 
    <li>You receive a Security Hub notification that Amazon S3 Block Public Access was disabled for an account in your designated Slack channel. 
     <div id="attachment_26575" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-26575" src="https://www.infracom.com.sg/wp-content/uploads/2022/07/img2-1024x736-1.png" alt="Figure 2: Notification received from Security Hub in Slack channel" width="567" class="size-large wp-image-26575"> 
      <p id="caption-attachment-26575" class="wp-caption-text">Figure 2: Notification received from Security Hub in Slack channel</p> 
     </div> <p>This notification indicates that S3 Block Public Access was disabled for a specific account.</p> 
     <blockquote> 
      <p><strong>Note:</strong> Your Slack channel members require permissions to investigate and remediate the findings received in the Slack channel. As described earlier, you can grant permissions using a channel IAM role or a user IAM role. You should follow the principal of least privilege access when granting use and access <a href="https://aws.amazon.com/iam/features/analyze-access/" target="_blank" rel="noopener noreferrer">IAM Access Analyzer</a> to review the permissions that are granted through the user or channel IAM role. </p> 
     </blockquote> </li> 
    <li>Before any action is taken by you, you need to find the current S3 Block Public Access configuration for the account. To do this, run the following AWS CLI command from the Slack channel, replacing <span>&lt;your_account_id&gt;</span> with the AWS account ID you are investigating. <p>@aws s3control get-public-access-block –account-id <span>&lt;your_account_id&gt; </span></p> </li> 
    <li>Review the response in the Slack channel. 
     <div id="attachment_26576" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-26576" src="https://www.infracom.com.sg/wp-content/uploads/2022/07/img3.png" alt="Figure 3: AWS CLI command output in Slack channel indicating that S3 Block Public Access is disabled" width="600" height="290" class="size-full wp-image-26576"> 
      <p id="caption-attachment-26576" class="wp-caption-text">Figure 3: AWS CLI command output in Slack channel indicating that S3 Block Public Access is disabled</p> 
     </div> <p>You see that the output in Figure 3 shows that all the parameters of <strong>PublicAccessBlockConfiguration</strong> are set to <strong>false</strong>, which indicates that the Block Public Access feature is disabled at the account level.</p> </li> 
    <li>To remediate this presssing issue, run the following AWS CLI command in your Slack channel, replacing <span>&lt;your_account_id&gt;</span> with the AWS account ID you are investigating. <p>@aws s3control put-public-access-block –account-id <span>&lt;your_account_id&gt;</span> –public-access-block-configuration {“RestrictPublicBuckets”: true,<br>“BlockPublicPolicy”: true,<br>“BlockPublicAcls”: true,<br>“IgnorePublicAcls”: true</p> </li> 
    <li>In the response from AWS Chatbot, look for <strong><em>Result was null</em></strong> to verify that the command was run without any errors. 
     <div id="attachment_26577" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-26577" src="https://www.infracom.com.sg/wp-content/uploads/2022/07/img4.png" alt="Figure 4: AWS CLI command run from Slack channel to enable S3 Block Public Access" width="599" height="226" class="size-full wp-image-26577"> 
      <p id="caption-attachment-26577" class="wp-caption-text">Figure 4: AWS CLI command run from Slack channel to enable S3 Block Public Access</p> 
     </div> </li> 
    <li>To check the current status of the configuration, {and to validate whether the issue has been resolved,|and to validate whether the presssing issue has been resolved,} {again run the following AWS CLI command from the Slack channel,|run the following AWS CLI command from the Slack channel again,} replacing <span>&lt;your_account_id&gt;</span> with the AWS account ID you are investigating: <p>@aws s3control get-public-access-block –account-id <span>&lt;your_account_id&gt;</span></p> </li> 
    <li>In the response, you see that all the parameters of <strong>PublicAccessBlockConfiguration</strong> are set to <strong>false</strong>, which indicates that the Block Public Access feature is enabled at the account level. 
     <div id="attachment_26578" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-26578" src="https://www.infracom.com.sg/wp-content/uploads/2022/07/img5.png" alt="Figure 5: AWS CLI command output in Slack channel indicating S3 Block Public Access is enabled" width="600" height="290" class="size-full wp-image-26578"> 
      <p id="caption-attachment-26578" class="wp-caption-text">Figure 5: AWS CLI command output in Slack channel indicating S3 Block Public Access is enabled</p> 
     </div> </li> 
   </ol> 
   <p>Another example use case is that you get a security finding notifying you about unencrypted <a href="https://aws.amazon.com/ebs/" target="_blank" rel="noopener noreferrer">Amazon Elastic Block Store (Amazon EBS)</a> volumes. You can remediate the finding by running AWS CLI commands to encrypt the volume. In addition to interacting with AWS services by running standard AWS CLI commands in the Slack channel, you can further extend this capability to run operating system (OS)-level commands by using <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html" target="_blank" rel="noopener noreferrer">AWS Systems Manager runbooks</a>, using the same mechanism described in this post. For more information, see <a href="https://docs.aws.amazon.com/chatbot/latest/adminguide/related-services.html#runbooks" target="_blank" rel="noopener noreferrer">AWS Systems Manager Runbooks</a> in the AWS Chatbot Administrator Guide.</p> 
   <h2>Conclusion</h2> 
   <p>In this blog post, you learned how to run AWS CLI commands from Slack channels to remediate your security findings. This allows you to receive alerts and notifications from Security Hub and other security services such as Amazon GuardDuty, {then investigate and remediate the issues from a single platform.|investigate and remediate the issues from a single platform then.} {You can integrate AWS Chatbot with your security operation team’s Slack channel or Amazon Chime chatroom,|You can integrate AWS Chatbot with your security operation team’s Slack Amazon or channel Chime chatroom,} and manage your security operations in a more collaborative, transparent, and automated manner.</p> 
   <p>{If you have any questions about this post,|If any questions are had by you about this post,} let us know in the Comments section below. For more information about AWS Chatbot, see the <a href="https://docs.aws.amazon.com/chatbot/latest/adminguide/what-is.html" target="_blank" rel="noopener noreferrer">AWS Chatbot Administrator Guide</a>.</p> 
   <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> 

   <!-- '"` -->