AWS Partner Network (APN) Blog

Integrating AWS Security Hub, IBM Netcool, and ServiceNow to Secure Large Client Deployments

By Jigar Kapasi, Sr. Cloud Architect – Kyndryl
By Venkat Reddy, Cloud Automation Architect – Kyndryl
By Koushik Mohan, Partner Solutions Architect – AWS

Connect with Kyndryl-1

The CIS AWS Foundations Benchmark is a compliance standard for securing Amazon Web Services (AWS) resources, offering prescriptive instructions for configuring AWS services in accordance with industry best practices.

In May 2018, the Center for Internet Security (CIS) published v1.2.0 of the AWS Foundations Benchmark, and AWS Security Hub currently implements this version.

Customers using cloud resources on AWS can safeguard sensitive IT systems and data by complying with the industry-recognized CIS AWS Foundations Benchmark, among other best practices defined by AWS security experts.

This post explains how to get visibility of your cloud security posture when building secure multi-account, multi-region AWS deployments.

Kyndryl is an AWS Select Tier Services Partner and IT infrastructure services provider. The company designs, builds, manages, and modernizes the complex, mission-critical information systems the world depends on every day.

Kyndryl’ s nearly 90,000 employees serve more than 4,000 customers in over 60 countries around the world, including 75% of the Fortune 100. Learn more about the Kyndryl and AWS collaboration.

Project Scope

Using AWS Security Hub, Kyndryl was able to define a secure, scalable security account architecture for customers, manage multiple customer accounts, consolidate security-related findings, and integrate into the ITSM processes in ServiceNow.

AWS Security Hub provides customers with pre-packaged security standards, such as the CIS AWS Foundations Benchmark and the Payment Card Industry Data Security Standard (PCI DSS). Security Hub automatically evaluates each control in a security standard via rules. The evaluation of a control (using a rule) against a single AWS resource is referred to as a “security check” and results in a finding that shows the result of the check.

In this post, we’ll discuss a reference architecture Kyndryl implemented to manage AWS Security Hub findings. Security Hub is used to understand the security posture and integrate non-compliance findings into the ITSM system (ServiceNow) via Kyndryl’s event management hub (IBM Netcool).

Netcool is widely used as a multi-tenant event aggregation hub. A common architectural pattern is for multiple tools like Amazon CloudWatch, Datadog, or security tools to send events to Netcool, which then routes it to various endpoints such as ServiceNow or other automation engines.

Netcool has additional capabilities including event suppression and de-duplication. Many customers also have a use case where they are aggregating security events across AWS and other non-AWS activates (on-premises, for example) and can use this reference architecture to achieve similar use cases.

Note that customers can alternatively use the AWS Service Management Connector for ServiceNow with direct support for sending Security Hub events to ServiceNow via Amazon EventBridge. For more info, please refer to the documentation.

Solution Overview

This section details the reference architecture that has been implemented. AWS Security Hub provides a multi-account structure where the Security Hub service of multiple accounts can be linked together.

We have leveraged this feature to manage and consolidate Security Hub findings of multiple member accounts into a single administrator account.


Figure 1 – AWS Security Hub multi-account structure.

Expanding this concept, we have implemented the below reference architecture.


Figure 2 – AWS Security Hub integration with ticketing system.

Here is a brief description of the above architecture:

  • AWS Security Hub is an account-specific, regional service.
  • For aggregation of Security Hub events, we choose an account (called Administrator account) and a region (called Primary region).
  • The configuration of AWS Security Hub for the Administrator account allows member accounts to be added. Once this relationship is defined, all Security Hub findings from the member accounts will be visible from the Administrator account. An automation asset is available from AWS labs to enable and disable Security Hub for a multi-account architecture.
  • Similarly, regional aggregation is configured in the Primary region of the Administrator account. Regional aggregation consolidates findings from all regions into the Primary region.
  • There are no out-of-the-box integrations with Netcool, so a custom integration was used. To enable the integration, create a custom AWS Lambda function and Amazon Simple Notification Service (SNS) topic in the primary region of the Administrator account.
  • The Lambda function is triggered using an Amazon EventBrdige rule.
  • The Lambda function processes the incoming EventBridge events and posts them to the SNS topic.
  • Through webhook integration, an SNS subscription posts Security Hub CIS findings to Netcool.
  • Netcool creates incidents in ServiceNow. Incidents have sufficient details to identify the Security Hub finding in the AWS Management Console.
  • Site reliability engineers (SREs) can act upon incidents, fix findings in AWS accounts, and close ServiceNow incidents.


For this walkthrough, you should have the following prerequisites:

  • An AWS account.
  • AWS resources like Security Hub.
  • Access to Netcool event management and ServiceNow ITSM.

Component Interaction

This section details the flow of the reference architecture that has been implemented.

Below is a sequence diagram describing the flow of events. We use this to invoke a custom Lambda function to process Security Hub findings and send them to Netcool and ServiceNow.


Figure 3 – Component interaction.

The numbered events in the sequence diagram are:

  1. Once multi-account, multi-region setup is done, AWS Security Hub findings from member accounts would flow into the Security Hub of the Administrator account.
  2. In the Primary region’s Administrator account, set up an Amazon EventBridge rule that receives Security Hub events for failed compliance findings and invokes a custom Lambda function.
  3. The Lambda function processes the Security Hub findings and posts them to SNS. In the Primary region’s Administrator account, create an SNS topic (say “test_topic”). The Lambda function will publish Security Hub findings to the SNS topic. One event per CIS control, AWS account, and region is sent to SNS.
  4. Create a subscription on the SNS topic that can integrate with any external solution where you want to report the Security Hub findings. We integrated with Netcool, which is Kyndryl’s event management solution.
  5. Through a webhook integration, the SNS subscription would send the Security Hub events to Netcool. You can similarly configure any third-party integration.
  6. For each unique event Netcool receives, it creates an incident in ServiceNow. The primary key for identifying an event uniquely is a combination of AWS account number, region, and CIS control number. If an incident for a Security Hub finding is still open in Netcool or ServiceNow, Netcool will suppress that event and not create a new incident.

Once a SRE manually resolves or fixes the incident in AWS and ServiceNow, the event gets closed in Netcool. For any subsequent events for that finding or primary-key, it will be treated as new and Netcool will create a new incident for same.


Figure 4 – Sample ServiceNow tickets.

Benefits of the Solution

  • Automation of architecture and solution deployment: AWS Security Hub is a multi-account, multiple region service. Through Kyndryl’s solution, and by reusing an AWS labs asset, we have automated the multi-account, multi-region deployment architecture. You can enable as many regions as needed and where customer services are running.
  • Integration into service management (ITSM) processes: Through the integration into ServiceNow, we integrate into the service management processes.
  • Integration touchpoints: Through event management solutions like Netcool and integration touchpoints like Amazon SNS, we have control over Security Hub service and integration touchpoints. This can integrate with other third-party solutions, as well.
  • Customizable solution: In the AWS Lambda function, CIS controls that are not to be reported can be suppressed. For example, a partner may not want to manage Security Hub findings related to identity and access management (IAM), or they may want to customize ticket severity.
  • Currently enabled CIS benchmarks in Security Hub: The solution can be enhanced to cover other benchmarks provided by AWS, like PCI DSS and foundational best practices.


In this post, we covered a reference architecture and implementation details of a multi-account, multi-region AWS Security Hub deployment that is integrated with Netcool event management and ServiceNow. This solution can be used to continuously manage the cloud security posture of a complex AWS deployment.


Kyndryl – AWS Partner Spotlight

Kyndryl is an AWS Services Partner and IT infrastructure services provider that designs, builds, manages, and modernizes the complex, mission-critical information systems the world depends on every day.

Contact Kyndryl | Partner Overview

*Already worked with Kyndryl? Rate the Partner

*To review an AWS Partner, you must be a customer that has worked with them directly on a project.