Integration & Automation
Manage security events in Slack, Teams, or Amazon Chime using AWS Chatbot and Amazon Q
Organizations often make efforts to avoid redundant security alerts to improve their overall security posture. They continuously look for protocols to ensure more focused, efficient, and effective safety operations. Without a solution to eliminate redundancy, teams can inadvertently overlook important alerts, spend unnecessary time on issues they’ve already addressed, increase response time, and clutter dashboards.
This blog post presents a solution that unifies security management into a common messaging app such as Slack, Amazon Chime, and Microsoft Teams. Using a combination of Amazon Q, AWS Chatbot, Amazon Simple Notification Service (Amazon SNS), and AWS Security Hub, all synced together and configured with permissions and roles, you can:
- Get notified about security alerts in near real time.
- Investigate solutions using chatbot queries.
- Take actions using integrated command line interface (CLI) commands directly in your messaging app.
This solution helps you streamline your organization’s security response protocols by consolidating communications in one central channel where interested parties can chat and collaborate on a solution.
This solution has several benefits:
- Prioritize the response and remediation efforts of your security and DevSecOps teams by fine-tuning diverse security findings across multiple AWS accounts and resources in one location.
- Chat with Amazon Q directly from your messaging app to learn about best practices, troubleshoot issues, and identify next steps.
- Open support cases for security incidents from the ease of your phone when you’re away from your desk and need support right away.
- Use Amazon Q’s CLI for AI-generated completions as you type in the command line.
- Customize notifications for checks and vulnerabilities; for example, you can create a rule to receive notifications based on resource IDs in an AWS organization or account for a specific severity level.
This solution addresses multiple use cases. You can apply it to strategic accounts that require extra attention, for example when a compliance check fails or a warning occurs for Health Insurance Portability and Accountability Act (HIPAA)-compliant workloads in production accounts. In another use case, when cross-account support is enabled for solution provider AWS Partner-Led Support (PLS) customers, you can open a support case from the dedicated administrator account into the rest of the accounts in an organization.
About this blog post | |
Time to read | ~10 minutes |
Time to complete | ~2 hours |
Cost to complete | 0 |
Learning level | Intermediate (200) |
AWS services | Amazon EventBridge Amazon Simple Notification Service (Amazon SNS) Amazon Q AWS Chatbot AWS Identity and Access Management (IAM) AWS Security Hub |
Architectural overview
The solution sets up the following architecture:
- Security Hub detects a status change such as a security alert and invokes an EventBridge rule.
- The EventBridge rule sends a notification to Amazon SNS about the change in status.
- Amazon SNS sends the security status notification to AWS Chatbot, which is subscribed to the SNS topic.
- AWS Chatbot routes the security status notification to the Slack channel.
- A user of the Slack channel chats with the Amazon Q chatbot agent about the alert.
- The user opens a support case through the chatbot agent.
Prerequisites
- Security Hub enabled either in an AWS organization or within a standalone AWS account. See Enabling Security Hub.
- An IAM user and role with permissions to configure EventBridge, Amazon SNS, and AWS Chatbot. See IAM roles.
- An active user of Microsoft Teams, Slack, or Amazon Chime.
Walkthrough
Step 1: Create an Amazon SNS topic
Sign in to the Amazon SNS console, and create an Amazon SNS topic named securityhub with sufficient permissions to receive and send notifications. As a best practice, implement least privilege access to reduce security risks and errors. Confirm that the Amazon Resource Name (ARN) is accurate in the access policy.
You will set this SNS topic as the target of an EventBridge rule in the next step.
Step 2: Create the EventBridge rule
The EventBridge rule determines which events to send to which targets for processing. In my solution, the rule is invoked when Security Hub detects a change in status such as a security alert. You can choose to be notified of all the events that Security Hub detects, or you can filter specific security events.
To create the EventBridge rule, perform these steps:
- Open the Security Hub console.
- Navigate to the Management, Automations section in the left navigation bar.
- Create an EventBridge rule and configure the security level as CRITICAL.
- To configure Security Hub event notifications, navigate to the Event pattern section and choose one of the following options in the Event type field:
- To be notified of all events, choose All Events.
- To filter security-related events, choose Security Hub Findings-Imported.
- Choose Next.
- Choose AWS service in the Target types section.
- In the Topic field, select the securityhub topic that you created in the previous step.
- Choose Next, and then save your EventBridge rule.
Step 3: Install the chatbot agent
Install the AWS Chatbot agent in your preferred communication channel, for example Slack, Amazon Chime, or Microsoft Teams. This agent is integrated with the Amazon Q chatbot agent for opening support tickets and entering CLI commands.
To install the chatbot agent in Slack, perform these steps:
- In your Slack channel settings, add or install AWS Chatbot. Make note of the channel ID. For instructions, see Tutorial: Get Started with Slack in the AWS Chatbot documentation.
- Sign in to the AWS Chatbot console, and perform the following steps:
- Create a new client.
- Create a role for the Chatbot agent that you will integrate with Amazon Q.
- Subscribe to the SNS topic that you created earlier.
- Set permissions for the chatbot’s IAM role to allow Amazon Q to interact with AWS services. With permissions set on the chatbot role, the chatbot can provide recommendations about the Security Hub findings when asked by a user. It also allows users to enter CLI commands to perform tasks. The CLI responds with suggestions for exact commands based on the syntax entered by the user.
The AWSSupportAccess
permission has been added to the chatbot role so it can create support cases. For example, when you type the CLI command @aws create a support case
, the chatbot prompts you to choose the support create-case command
.
Note: Because AWSSupportAccess
is an AWS managed policy, the solution adheres to security best practices, including granting least privilege.
For information about adding the AWSSupportAccess
permission to a user, group, or role, see Manage access to AWS Support Center.
Here are some examples of questions you can ask Amazon Q from your configured channel:
- @aws how do I troubleshoot lambda concurrency issues?
- @aws what are the best practices for securing S3 buckets?
Results
Now you are ready to start receiving notifications from Security Hub in your Slack channel. In the following image, I have received a notification for one of my S3 buckets. I ask the chatbot to provide recommendations on how to block public access to the S3 bucket and open a support case.
Next, I ask the chatbot to create a support case.
Finally, I choose the Run command, and fill in the required information.
Conclusion
This AWS solution provides a streamlined approach for managing security incidents in a single messaging app channel. It helps teams react and respond to security events from a central location, including from the ease of their phone. Having multiple cloud engineers engaging in a common communication channel reduces redundancy in the flow of security-related notifications and helps them work toward a solution using familiar chat capabilities and common commands.
As a next step, apply the solution to your own environment to learn about the benefits and see first-hand how they can positively affect your security posture.
Also, check out the following resources:
If you have feedback about this article or want to get in touch with the author, leave your feedback in the Comments section on this page.