AWS Security Hub

AWS Security Hub is a central location for you to review your security state across the various services you use with AWS. The InsightConnect AWS Security Hub plugin allows you to ingest AWS Findings data and better monitor your AWS security features and status.

To use the AWS Security Hub plugin in InsightConnect, you must set up dependencies in the AWS Console, and then configure the trigger or action in InsightConnect. Setting up each of these items ensures that AWS data is passed correctly from each part of AWS to InsightConnect.

Set Up Security Hub Dependencies in AWS Console

To send data to InsightConnect through the AWS Security Hub, you will need to complete the following tasks in your AWS Console:

  1. Enable AWS Security Hub
  2. Configure AWS Identity and Access Management Service-Linked Roles
  3. Create a Custom Action in AWS Security Hub
  4. Create an AWS CloudFormation Stack
  5. Locate your SQS URL in AWS Console

Enable AWS Security Hub

AWS Security Hub is an AWS Preview feature. You will need to enable it before configuring other parts in AWS.

To enable Security Hub for your AWS account:

  1. Log in to your AWS console in a web browser.
  2. Click the Services button in the top left corner to open a menu of AWS services.
  3. Start typing “security” in the search bar or look for the “Security, Identity, and Compliance” category. Choose the Security Hub option.
  4. Locate a card that provides the option to try Security Hub for free. Click the provided link.
  5. When prompted, review your service permissions for AWS Security Hub. The permissions need to be set to “Allow.”
  6. Click the Enable AWS Security Hub button in the bottom right corner.

For more help with enabling AWS Security Hub, visit AWS documentation here: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html#securityhub-enable.

Configure AWS Identity and Access Management Service-Linked Roles

After enabling Security Hub, you can begin configuring the different parts of AWS that need to communicate with each other before they can send the correct data to InsightConnect. Start by creating a new role in AWS Identity and Access Management (IAM).

To configure AWS IAM service-linked roles:

  1. Navigate to the IAM service from the AWS Console. It is located under the “Security, Identity, and Compliance” category.
  2. Click the Users tab in the left-hand navigation panel, and then click the Add user button in the top-left corner.
  3. Enter a name for the user and select the “Programmatic access” AWS access type. Click on the blue Next: Permissions button in the bottom-right corner of the page.
  4. From the permissions settings options that appear, click on the Attach existing policies directly card.
  5. If you already have an existing policy set for AWS Simple Queue Service (SQS), select it. If you don’t, create a new policy with these instructions.
  6. Click Next: Tags in the bottom right. You can leave the tags fields blank or add tags as best suit your organization, then click Next: Review.
  7. Click Create user to add the AWS IAM role.

An access key ID and secret access key will populate for your new user. Save these keys to a password manager or somewhere you can retrieve them. You will need them when you configure the plugin in InsightConnect.

Create a New Policy for AWS SQS

You must have a policy set for AWS SQS for the AWS IAM role. If you don’t already have one, follow these steps to create a new one, then proceed with Step 6 of the instructions to configure AWS IAM service-linked roles.

To create a new policy:

  1. Click on the Create Policy button under the top three permissions options. 2.. Under “Service” settings, search for and choose SQS.
  2. Under “Actions” settings, check the box for Read, then expand the Write options and check the box for *DeleteMessage.
  3. Close the “Actions” Settings dropdown and review these settings. You should have five total “Read” settings and one “Write” setting.
  4. Under “Resources” settings, check the “Any” box for queue settings. Then click on Review Policy in the bottom right.
  5. Give the policy a name and a brief description, then click on Create Policy in the bottom right. 7. Return to your AWS IAM Management Console and select this new policy.

Create a Custom Action in AWS Security Hub

The Security Hub custom action will execute processes in AWS when a workflow calls the Security Hub plugin. You will need to link a CloudFormation Stack to a custom action, so create the custom action first to the custom action’s ARN.

To create a custom action:

  1. Go to your AWS Console settings, and click the Custom actions tab.
  2. Click the Create custom action button in the top right.
  3. In the configuration panel that appears, provide a name, description, and custom action ID for the action.Click Ok when you are done.
  4. Copy the “Custom action ARN” for your new custom action. You will need it when you create an AWS CloudFormation Stack.

Create an AWS CloudFormation Stack

After you create a custom action, you will need to create an AWS CloudFormation Stack based on a template we provide. This allows you to route AWS Security Hub Events through AWS CloudWatch to AWS SQS. Once the events are available in SQS, they can be forwarded to InsightConnect.

To set up an AWS CloudFormation Stack:

  1. Go to the CloudFormation Stack console in your AWS Console. You can find it under the “Management & Governance” category or by typinge “cloudformation” in the search bar under Services.
  2. Click the Create stack button.
  3. In the “Specify template” section, select Upload a template file, and upload this file. Click Next.
  4. Provide a name for the stack.
  5. Copy and paste the following JSON template into the “EventPatternsParameter” field under the “Parameters” section, and replace <Custom Action ARN> with the ARN you copied earlier.
JSON Template for EventPatternsParameter
1
{
2
"resources": [
3
"<Custom Action ARN>”
4
],
5
"source": [
6
"aws.securityhub"
7
]
8
}
  1. Provide a description for the event rule. It should be something that will help you remember that this event is for AWS Simple Queue Services (AWS SQS) to work with InsightConnect.
  2. Create a name for the queue. You will need the queue name to find your AWS SQS URL for configuring the plugin in InsightConnect. The 8. Click the Next* button until you see the Create Stack button. Click on Create Stack to finish.

Locate Your SQS URL

You will need to find and copy your organization’s AWS SQS URL before configuring the plugin in InsightConnect. The AWS SQS URL will be available after you create the required Stack in AWS CloudFormation.

To locate your AWS SQS URL:

  1. Log in to your AWS Console, then navigate to the SWD Console.
  2. In the list of queues, look for the queue name for the AWS CloudFormation Stack you created earlier.
  3. Copy the SQS URL for this queue.

Configure an AWS Security Hub Trigger in InsightConnect

After importing the plugin in InsightConnect, you can use the AWS Security Hub plugin trigger in your workflows.

You will need to:

  1. Create, set up, and activate a new workflow to ingest AWS SQS data.
  2. Test a workflow with the AWS Security Hub trigger.

To build the initial AWS Security Hub workflow in InsightConnect:

  1. Create a new workflow and click on AWS Security Hub when prompted to create a trigger. You will find AWS Security Hub under the “From Plugin” section of the trigger selection menu. Then click Continue >.
  2. From the available AWS Security Hub triggers, click on Get SQS Message. Click Continue.
  3. Create or add a connection using the access key ID and secret access key you received when creating the IAM role.
  4. Choose a healthy orchestrator to run the plugin action from, then click Continue.
  5. Configure the trigger with the following required fields, and any of the optional fields you would like to configure. 6.. For now, name the trigger Get SQS Message. You can rename it later after the testing that the workflow receives SQS data successfully.
  6. Paste the AWS SQS URL you copied earlier from your AWS Console into the “Queue URL” field. You can configure the other fields or leave them set as defaults for now. Click Continue to close the trigger configuration panel.
  7. The trigger checks the SQS Queue at a time interval. Provide an interval length in seconds for the “Interval” field.
  8. Click on the + icon in the workflow builder and to add a new [artifact step](doc:artifact-step]. In the artifact configuration panel, check that the “Output format” is Markdown Card, then write Markdown that will display your AWS SQS event information. You can follow this sample template by changing the trigger and variable names to match your configurations:
ruby
1
### Action
2
3
Action Name: {{[Get SQS Message].[securityhubevent].[detail].[actionName]}}
4
Action Description: {{[Get SQS Message].[securityhubevent].[detail].[actionDescription]}}
5
6
{{#each [Get SQS Message].[securityhubevent].[detail].[findings]}}
7
Description: {{Description}}
8
{{/each}}

This template will help you test that your AWS Security Hub configuration is working properly.

  1. Activate the workflow.

Test Your AWS Security Hub Workflow

After building and activating a workflow with an AWS Security Hub trigger, you will need to send data to SQS in your AWS Security Hub Console to check that the workflow correctly ingests data.

To test the workflow:

  1. Navigate to your AWS Security Hub console, then choose Findings from the navigation panel. For more information on using “Findings” in AWS Security Hub, visit AWS’ documentation at https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html.
  2. Click on a Finding checkbox to send that Finding’s data to your workflow.
  3. With the Finding selected, click on the Actions dropdown button in the upper right and click Send To SQS.
  4. Now log back into InsightConnect and navigate to the Closed Jobs page. Find the completed job for your AWS Security Hub workflow and click on the Artifacts tab to see if artifact displays information as expected.
  5. If you see expected SQS data, your AWS Security Hub trigger works correctly and you can continue to add to your workflow as needed.

After successfully testing your AWS Security Hub workflow with the test artifact, you can change the artifact content as well as the trigger name if needed.

Configure an AWS Security Hub Action Step in InsightConnect

After importing the plugin in InsightConnect and configuring Security Hub in AWS, you can use the AWS Security Hub plugin action in your workflows.

To use the AWS Security Hub plugin in InsightConnect, configure the plugin as you would any other action in a workflow, with a fresh credential set. Make sure these credentials (the AWS IAM access key ID and secret access key) have access to AWS Security Hub.