AWS Security Hub

Follow

AWS Security Hub

Security Hub is a service by AWS that provides a view of security alerts and findings across your AWS accounts. Kion supports sending and receiving findings via AWS Security Hub. In Kion, you can create compliance checks using native Cloud Custodian policies that interact with Security Hub in each of your AWS accounts.

There are a few ways to integrate Kion with Security Hub:

  • action: post-finding. Post and update findings on any resource type to Security Hub.
  • filter: finding. Query with filtering of resources based on findings.
  • mode: hub-finding. Create an AWS Lambda (AWS Lambda execution mode) that triggers on ingestion of Security Hub findings.
  • mode: hub-action. Create an AWS Lambda (AWS Lambda execution mode) that can be triggered manually by a custom action that it creates in the Security Hub UI. These custom actions work with both findings and insights.

The Initial Setup and Implementation steps below explain how to get started with an implementation of any of these methods. During the implementation steps described here, select the policy text from the method that best fits your needs.

Initial Setup

To post findings, enable AWS Security Hub and the Kion/Kion and Cloud Custodian/Cloud Custodian Security Hub integrations in each region of your AWS accounts you want to use.

Implementation

To implement any of the methods below, perform the following actions in Kion:

  1. Copy the policy text from the method below that best fits your needs.
  2. Create a new compliance check in Kion and paste the copied policy into the Compliance Check Policy field. For more information, see Add a Compliance Check.
  3. Add the compliance check to a compliance standard. For more information, see Add a Compliance Standard.
  4. Add the compliance standard to a cloud rule. For more information, see Create a Cloud Rule.
  5. Attach the cloud rule to a project or OU. For more information, see Managing Cloud Rules on Resources.

The policy runs on a schedule based on which method you used.

ClosedMethod: post-finding

ClosedMethod: finding

ClosedMethod: hub-finding

ClosedMethod: hub-action 

Reference

You can read more about the Security Hub events types here:

The Cloud Custodian documentation is available here: