AWS Security Hub
Security Hub is a service by AWS that provides a view of security alerts and findings across your AWS accounts. Kion supports sending and receiving findings via AWS Security Hub. In Kion, you can create compliance checks using native Cloud Custodian policies that interact with Security Hub in each of your AWS accounts.
There are a few ways to integrate Kion with Security Hub:
- action: post-finding. Post and update findings on any resource type to Security Hub.
- filter: finding. Query with filtering of resources based on findings.
- mode: hub-finding. Create an AWS Lambda (AWS Lambda execution mode) that triggers on ingestion of Security Hub findings.
- mode: hub-action. Create an AWS Lambda (AWS Lambda execution mode) that can be triggered manually by a custom action that it creates in the Security Hub UI. These custom actions work with both findings and insights.
The Initial Setup and Implementation steps below explain how to get started with an implementation of any of these methods. During the implementation steps described here, select the policy text from the method that best fits your needs.
Initial Setup
To post findings, enable AWS Security Hub and the Kion/Kion and Cloud Custodian/Cloud Custodian Security Hub integrations in each region of your AWS accounts you want to use.
Implementation
To implement any of the methods below, perform the following actions in Kion:
- Copy the policy text from the method below that best fits your needs.
- Create a new compliance check in Kion and paste the copied policy into the Compliance Check Policy field. For more information, see Add a Compliance Check.
- Add the compliance check to a compliance standard. For more information, see Add a Compliance Standard.
- Add the compliance standard to a cloud rule. For more information, see Create a Cloud Rule.
- Attach the cloud rule to a project or OU. For more information, see Managing Cloud Rules on Resources.
The policy runs on a schedule based on which method you used.
Method: post-finding
This policy sends a new finding to both Kion and AWS Security Hub when it's detected.
Here is the policy that can be added as a compliance check in Kion:
---
policies:
- name: account-shield-enabled
resource: account
filters:
- shield-enabled
actions:
- type: post-finding
description: |
Shield should be enabled on account to allow for DDOS protection (1 time 3k USD Charge).
severity_normalized: 6
types:
- "Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)"
recommendation: "Enable shield"
recommendation_url: "https://www.example.com/policies/AntiDDoS.html"
confidence: 100
compliance_status: FAILED
- type: webhook
url: '{{CT::CallbackURL}}'
method: POST
batch: true
headers:
Authorization: '`{{CT::Authorization}}`'
body: |-
{
"compliance_check_id": `{{CT::CheckId}}`,
"account_number": account_id,
"region": region,
"scan_started_at": execution_start,
"findings": resources[].{resource_name: account_id, resource_type: `account`}
}
Method: finding
This policy queries findings from AWS Security Hub (instead of the resources themselves) and then performs an action.
Here is the policy that can be added as a compliance check in Kion:
---
policies:
- name: account-get-finding
resource: account
filters:
- type: finding
query:
RecordState:
- Comparison: EQUALS
Value: ACTIVE
region: "us-east-1"
actions:
- type: webhook
url: '{{CT::CallbackURL}}'
method: POST
batch: true
headers:
Authorization: "`{{CT::Authorization}}`"
body: > {
"compliance_check_id": `{{CT::CheckId}}`,
"account_number": account_id,
"region": region,
"scan_started_at": execution_start,
"findings": resources[].{resource_name: account_id, resource_type: `account`, data_json: {description: 'This is a test.'}}
}
Method: hub-finding
This policy sets up an AWS Lambda that listens off of an Amazon EventBridge rule and triggers when a new finding appears in Security Hub. This policy sets up the Amazon EventBridge rule and AWS Lambda, but you need to also create an AWS Lambda service role. There is an AWS CloudFormation template below that you can add to Kion and then associate with the same cloud rule so the role is created where you need it.
When this policy runs, it sets up an AWS Lambda with an Amazon EventBridge rule for detail-type:
- Security Hub Findings - Imported
Here is the policy that can be added as a compliance check in Kion:
---
policies:
- name: hubfind
resource: aws.security-group
mode:
type: hub-finding
role: cloudcustodian-Lambda-role
filters:
- type: finding
query:
RecordState:
- Comparison: EQUALS
Value: ACTIVE
region: us-east-1 actions:
- type: tag
key: ComplianceCheck
value: needs-remove
This is the AWS CloudFormation template you can modify to create an AWS Lambda role:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates an IAM role for Cloud Custodian AWS Lambda execution.",
"Resources": {
"LambdaRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "cloudcustodian-Lambda-role",
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
],
"Policies": [],
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"Lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}
}
}
Method: hub-action
This policy sets up an AWS Lambda that can be triggered manually by a user on findings and insights in the Security Hub interface. The custom action is available in a dropdown menu. When this policy runs, it sets up an AWS Lambda with an Amazon EventBridge rule for detail-type:
- Security Hub Findings - Custom Action
- Security Hub Insight Results
Here is the policy that can be added as a compliance check in Kion:
---
policies:
- name: sgtag
resource: aws.security-group
mode:
type: hub-action
role: cloudcustodian-Lambda-role
description: |
Close security groups open to the world
filters:
- or:
- type: ingress
Cidr:
value: 0.0.0.0/0
- type: ingress
CidrV6:
value: ::/0
actions:
- type: remove-permissions
ingress: matched
You also need to use the following AWS Lambda AWS CloudFormation template to create the role that is necessary for the AWS Lambda function to execute properly.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates an IAM role for Cloud Custodian AWS Lambda execution.",
"Resources": {
"LambdaRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "cloudcustodian-Lambda-role",
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
],
"Policies": [],
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"Lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}
}
}
Reference
You can read more about the Security Hub events types here:
The Cloud Custodian documentation is available here: