Integration & Automation

Manage security events in Slack, Teams, or Amazon Chime using AWS Chatbot and Amazon Q

Organizations often make efforts to avoid redundant security alerts to improve their overall security posture. They continuously look for protocols to ensure more focused, efficient, and effective safety operations. Without a solution to eliminate redundancy, teams can inadvertently overlook important alerts, spend unnecessary time on issues they’ve already addressed, increase response time, and clutter dashboards.

This blog post presents a solution that unifies security management into a common messaging app such as Slack, Amazon Chime, and Microsoft Teams. Using a combination of Amazon Q, AWS Chatbot, Amazon Simple Notification Service (Amazon SNS), and AWS Security Hub, all synced together and configured with permissions and roles, you can:

  • Get notified about security alerts in near real time.
  • Investigate solutions using chatbot queries.
  • Take actions using integrated command line interface (CLI) commands directly in your messaging app.

This solution helps you streamline your organization’s security response protocols by consolidating communications in one central channel where interested parties can chat and collaborate on a solution.

This solution has several benefits:

  • Prioritize the response and remediation efforts of your security and DevSecOps teams by fine-tuning diverse security findings across multiple AWS accounts and resources in one location.
  • Chat with Amazon Q directly from your messaging app to learn about best practices, troubleshoot issues, and identify next steps.
  • Open support cases for security incidents from the ease of your phone when you’re away from your desk and need support right away.
  • Use Amazon Q’s CLI for AI-generated completions as you type in the command line.
  • Customize notifications for checks and vulnerabilities; for example, you can create a rule to receive notifications based on resource IDs in an AWS organization or account for a specific severity level.

This solution addresses multiple use cases. You can apply it to strategic accounts that require extra attention, for example when a compliance check fails or a warning occurs for Health Insurance Portability and Accountability Act (HIPAA)-compliant workloads in production accounts. In another use case, when cross-account support is enabled for solution provider AWS Partner-Led Support (PLS) customers, you can open a support case from the dedicated administrator account into the rest of the accounts in an organization.

About this blog post
Time to read ~10 minutes
Time to complete ~2 hours
Cost to complete 0
Learning level Intermediate (200)
AWS services Amazon EventBridge
Amazon Simple Notification Service (Amazon SNS)
Amazon Q
AWS Chatbot
AWS Identity and Access Management (IAM)
AWS Security Hub

Architectural overview

The solution sets up the following architecture:

Architectural diagram of AWS services interacting with Slack integration

Figure 1: Architectural overview of AWS services with Slack integration

  1. Security Hub detects a status change such as a security alert and invokes an EventBridge rule.
  2. The EventBridge rule sends a notification to Amazon SNS about the change in status.
  3. Amazon SNS sends the security status notification to AWS Chatbot, which is subscribed to the SNS topic.
  4. AWS Chatbot routes the security status notification to the Slack channel.
  5.  A user of the Slack channel chats with the Amazon Q chatbot agent about the alert.
  6. The user opens a support case through the chatbot agent.

Prerequisites

  • Security Hub enabled either in an AWS organization or within a standalone AWS account. See Enabling Security Hub.
  • An IAM user and role with permissions to configure EventBridge, Amazon SNS, and AWS Chatbot. See IAM roles.
  • An active user of Microsoft Teams, Slack, or Amazon Chime.

Walkthrough

Step 1: Create an Amazon SNS topic

Sign in to the Amazon SNS console, and create an Amazon SNS topic named securityhub with sufficient permissions to receive and send notifications. As a best practice, implement least privilege access to reduce security risks and errors. Confirm that the Amazon Resource Name (ARN) is accurate in the access policy.

You will set this SNS topic as the target of an EventBridge rule in the next step.

Amazon SNS console showing an SNS topic with Acceess policy tab open

Figure 2: An SNS topic name securityhub with an access policy

Step 2: Create the EventBridge rule

The EventBridge rule determines which events to send to which targets for processing. In my solution, the rule is invoked when Security Hub detects a change in status such as a security alert. You can choose to be notified of all the events that Security Hub detects, or you can filter specific security events.

To create the EventBridge rule, perform these steps:

  1. Open the Security Hub console.
  2. Navigate to the Management, Automations section in the left navigation bar.
  3. Create an EventBridge rule and configure the security level as CRITICAL.

    Security Hub console showing user creating an EventBridge rule

    Figure 3: Configuring the EventBridge rule

  4. To configure Security Hub event notifications, navigate to the Event pattern section and choose one of the following options in the Event type field:
    • To be notified of all events, choose All Events.
    • To filter security-related events, choose Security Hub Findings-Imported.

      Security Hub console showing user configuring event type notifications

      Figure 4: Configure Security Hub event notifications

  5. Choose Next.
  6. Choose AWS service in the Target types section.
  7. In the Topic field, select the securityhub topic that you created in the previous step.

    Console screen showing user choosing securityhub as the topic target

    Figure 5: Choosing the EventBridge rule target

  8. Choose Next, and then save your EventBridge rule.

Step 3: Install the chatbot agent

Install the AWS Chatbot agent in your preferred communication channel, for example Slack, Amazon Chime, or Microsoft Teams. This agent is integrated with the Amazon Q chatbot agent for opening support tickets and entering CLI commands.

To install the chatbot agent in Slack, perform these steps:

  1. In your Slack channel settings, add or install AWS Chatbot. Make note of the channel ID. For instructions, see Tutorial: Get Started with Slack in the AWS Chatbot documentation.
  2. Sign in to the AWS Chatbot console, and perform the following steps:
    1. Create a new client.
    2. Create a role for the Chatbot agent that you will integrate with Amazon Q.
    3. Subscribe to the SNS topic that you created earlier.

      Image of Slack where user subscribes to the SNS topic

      Figure 6: Subscribing to the SNS topic from Slack

  3. Set permissions for the chatbot’s IAM role to allow Amazon Q to interact with AWS services. With permissions set on the chatbot role, the chatbot can provide recommendations about the Security Hub findings when asked by a user. It also allows users to enter CLI commands to perform tasks. The CLI responds with suggestions for exact commands based on the syntax entered by the user.

The AWSSupportAccess permission has been added to the chatbot role so it can create support cases. For example, when you type the CLI command @aws create a support case, the chatbot prompts you to choose the  support create-case command.

Note: Because AWSSupportAccess is an AWS managed policy, the solution adheres to security best practices, including granting least privilege.

For information about adding the AWSSupportAccess permission to a user, group, or role, see Manage access to AWS Support Center.

Here are some examples of questions you can ask Amazon Q from your configured channel:

  • @aws how do I troubleshoot lambda concurrency issues?
  • @aws what are the best practices for securing S3 buckets?

Results

Now you are ready to start receiving notifications from Security Hub in your Slack channel. In the following image, I have received a notification for one of my S3 buckets. I ask the chatbot to provide recommendations on how to block public access to the S3 bucket and open a support case.

AWS Chatbot displaying a security alert in the Slack channel

Figure 7: Receiving a security alert in Slack channel

Next, I ask the chatbot to create a support case.

User prompting the chatbot to open a support case

Figure 8: User prompting the chatbot to open a support case

Finally, I choose the Run command, and fill in the required information.

Chatbot creates a support case and displays the case ID for reference

Figure 9: Chatbot creates a support case

Conclusion

This AWS solution provides a streamlined approach for managing security incidents in a single messaging app channel. It helps teams react and respond to security events from a central location, including from the ease of their phone. Having multiple cloud engineers engaging in a common communication channel reduces redundancy in the flow of security-related notifications and helps them work toward a solution using familiar chat capabilities and common commands.

As a next step, apply the solution to your own environment to learn about the benefits and see first-hand how they can positively affect your security posture.

Also, check out the following resources:

If you have feedback about this article or want to get in touch with the author, leave your feedback in the Comments section on this page.

Arbind BasnetArbind Basnet is a Partner Technical Account Manager with AWS Enterprise Support. He enjoys building AWS Serverless solutions for AWS Partners. Outside of work, Arbind is a proud U.S. Army veteran and avid trail runner.