AWS Partner Network (APN) Blog

How to Enable Custom Actions in AWS Security Hub

Security Hub-1By Ross Warren, Solutions Architect at AWS

AWS Security Hub is a new service in Preview that provides customers with a comprehensive view of their security and compliance state across their Amazon Web Services (AWS) accounts.

The service aggregates findings from other AWS services such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, and integrations with AWS Security Partners.

AWS Security Hub brings these findings together in a single dashboard per region and consolidates them into actionable, easy-to-understand graphs and tables. The service supports the concept of Insights, which are grouped security findings, to help operations teams quickly identify the most critical security issues in their environment.

In addition to the default Insights that are provided, customers can create their own Insights to track issues that are specific to their environment.

Solution Overview

AWS Security Hub also provides customers with the ability to assess their compliance posture against best practice frameworks, and offers recommendations to remediate any findings. Security Hub’s default compliance framework supports the Center for Internet Security (CIS) AWS Foundations Benchmark, and others will be added in the future.

AWS Security Hub enables users to create Custom Actions enabling a response workflow for selected findings. Custom Actions include operations like sending findings to chat, email, ticketing, and/or automation systems. Security Hub uses Amazon CloudWatch Events to support Custom Actions. Selected findings are sent to CloudWatch where the Custom Action ID can be specified to connect the selected findings to a corresponding CloudWatch Event rule and target.

Security Hub’s Custom Actions allow your operations team to initiate responsive actions against findings selected through the Security Hub console across GuardDuty, Macie, and Inspector findings. Your operations team’s workflow benefits from these defined actions, reducing the dwell time to investigate and remediate findings in Security Hub.

In this post, I will introduce you to the process of creating AWS Security Hub Custom Actions with two examples: (1) sending findings to email; and 2) sending findings to Slack. This post will help you understand the process to create your own Custom Actions for utilization in your Security Operations playbooks.

Step 1: Send to Email Custom Action

How to Launch the AWS CloudFormation Stack

01_Email create statck

  • Complete Create Stack form
    • Stack Name: EnableSecurityHubFindingsEmails
    • EmailAddress: “Your email to send Security Hub findings to”
  • Select Next, fill out any Tags and select Next again
  • Accept IAM Resource creation

02_Email Create Stack-2

  • Select Create Stack, and CloudFormation will begin creating the stack
  • Wait for the CloudFormation console to report stack creation complete

04_Create-1

  • Check your email to confirm SNS Topic Subscription
  • Enable Security Hub
    • As a best practice, Security Hub should be enabled in each AWS Region by first navigating to the console in each region and clicking on Enable Security Hub.
    • NOTE: If you’re testing Security Hub, you can just enable the service in the same Region as you deployed the CloudFormation stack.

05_Sec Hub Enable-1

  • Next, review Service Role Permissions and click on Enable Security Hub

06_Sec Hub Enable-2

  • Read more about the IAM Roles that Security Hub utilizes
  • Create Security Hub Custom Actions
    • In the Security Hub settings, choose the Custom Actions tab and select Create Custom Action. Then, in the Create Custom Action pop-up, specify the Action Name, Description, and ID then choose OK to create the action.
      • Name: Send to email
      • Description: This Custom Action sends selected findings to email addresses defined in an SNS Topic Subscription.
      • Custom Action ID: SendToEmail
      • Your Custom Action will now show in the listing of Security Hub Custom Actions console

07_emai lcustom action

  • Optional step to customize the email notification
    • Navigate to the CloudWatch Events console and select the Events/Rules menu
    • Click on the CloudWatch Event Rule that was created by the CloudFormation template. It will be named “CloudWatchEventRuleFindingsToEmail”
    • Select Actions and click on Edit
    • On the right-hand side of the Create Rule console, the SNS topic “SendFindingsTopic” should be the selected target
    • Click Configure Input, select the Input Transformer Radio button, and fill in the following fields. Customize if you want.
      • Input Path:
        {"findingTime":"$.detail.findings[0].updatedAt","finding":"$.detail.findings[0].Types[0]","region":"$.detail.findings[0].Resources[0].Region","account":"$.detail.findings[0].AwsAccountId","findingDescription":"$.detail.findings[0].Description"}

        .

      • Input Template:
        "AWS SecurityHub finding in <region> for Account: <account>. The finding is <finding> and the description of the finding is <findingDescription>.”
    • Click Configure Details, then Click Update Rule to save
  • To test out this Custom Action, navigate to “Testing Custom Actions in AWS Security Hub” at the end of this post.

Step 2: Send to Slack Custom Action

Prerequisites

  • AWS Security Hub is enabled from previous example.
  • Membership in a Slack workspace

Create an Incoming Webhook in Slack API

  • Go to your Slack API web page to create the Webhook
  • Click on Create Your Slack App button
  • Click on Create New App button
    • App Name: SecurityHubToSlack
    • Development Slack Workspace : Choose the Slack workspace that will receive the Security Hub findings

08_Slack Create App

  • Click on the Create App Button
  • Select Incoming Webhooks
  • At the Activate Incoming Webhooks screen, move the slider from OFF to ON
  • Scroll down and choose Add New Webhook to Workspace

09_Slack Webhook URL

  • Select the Slack Channel in your Slack Workspace that the Security Hub findings will be posted to and select Authorize (suggestion “#alerts”)

10_Slack channel

  • On the next screen, scroll down to the Webhook URL section and click the Copy button so we can use it as input in our CloudFormation template

11_Slack webhook URL

Launch Cloud Formation Template

12_Slack Create Stack

Parameters with Values to Fill Out in Create Stack

  • StackName: EnableSecurityHubFindingsToSlack
  • IncomingWebHookURL: Paste what you just copied from Slack API pages
  • SlackChannel: Enter the same Slack Channel name that you chose above (#alerts)
  • MinSeverityLevel: Choose the minimum severity level you want to be notified in Slack; for example, HIGH would only send high severity findings, while LOW sends all findings

13_Slack create stack-2

Complete Create Stack form

  • Select Next, fill out any Tags and select Next again
  • Accept IAM Resource creation

14_IAM

  • Select Create Stack, and CloudFormation will begin creating the stack
  • Wait for the CloudFormation console to report stack creation complete

15_Slack create

Create Security Hub Custom Actions

  • In the Security Hub navigation pane, select Settings then choose the Custom Actions tab. Select Create Custom Action, and in the pop-up specify the Action Name, Description, and ID then choose OK to create the action
    • Name: Send to Slack
    • Description: This Custom Action sends selected findings as channel in a Slack Workspace
    • Custom Action ID: SendToSlack

16_Slack custom action

Step 3: Testing Custom Actions in AWS Security Hub

If you followed the steps above, you’ll have created two Custom Actions. Next, I’ll explain how to test the Send to Email Custom Action.

  • Navigate to AWS Security Hub console
  • Navigate to Findings
  • Select the check box next to one or more findings
  • Click the drop-down Actions menu and choose the SendToEmail Custom Action

The Security Hub console will then report “Successfully sent findings to CloudwatchEvents,” and you should receive an email from “AWS Notifications no-reply@sns.amazonaws.com.”

Step 4: Removing CloudFormation Stacks

If you’re testing this Custom Action, you can remove these stacks at any time by following the instructions at Deleting a Stack on the AWS CloudFormation Console.

Conclusion

AWS Security Hub reduces the effort of managing and improving the security and compliance of all of your AWS accounts and workloads. By enabling Custom Actions in the AWS Security Hub console, you can reduce the time it takes for your security operations team to begin acting on findings from AWS Security Hub.

Take the time today to start empowering your security teams to be more efficient with Security Hub Custom Actions.