How can I use Security Hub to monitor security issues for my AWS environment?
Last updated: 2022-05-25
I want to use AWS Security Hub to monitor security issues in my AWS environment.
Security Hub provides you with a detailed view of your security state and helps check your environment against security standards and best practices.
Benefits of Security Hub include:
- Reduced effort to collect and prioritize findings
- Automatic security checks against best practices and standards
- Consolidated view of findings across accounts and providers
- Ability to automate remediation of findings
- Supports integration with Amazon EventBridge.
To automate remediation of specific findings, you can define custom actions to take when a finding is received.Follow these instructions to create a custom action, define an EventBridge rule, and send findings.
Create a custom action
If you haven't already done so, start the configuration recorder in AWS Config.
1. Open the Security Hub console, choose Settings, and then choose Custom actions.
2. Choose Create custom action.
3. Enter an Action name and Description.
4. For Custom action ID, enter a unique ID, and then choose Create custom action.
5. In Custom action ARN, take note of the ARN.
Define a rule in EventBridge
If you haven't already done so, create an Amazon Simple Notification Service (Amazon SNS) topic.
1. Open the EventBridge console in the same AWS Region as Security Hub, expand Events, and then choose Rules.
2. Choose Create rule.
3. Enter a Rule name and Description.
4. From the Event bus drop down menu, choose either the default or custom bus.
5. Make sure that the Enable the rule on the selected event bus switch is turned on.
6. For Rule type, choose Rule with an event pattern, and then choose Next.
7. For Event source, choose AWS events or EventBridge partner events.
8. In Event pattern, choose the following:
For Event source, choose AWS services.
For AWS service, choose Security Hub.
For Event type, choose Security Hub Findings - Custom Action, choose Specific custom action ARN(s), and then choose Next.
9. Choose the Select a target drop down menu, choose your target type, choose Next, Next, and then choose Create rule.
For more information, see Amazon EventBridge event patterns.
Send findings to EventBridge
1. Open the Security Hub console, and then choose Findings.
2. Follow the instructions to send findings to EventBridge.
- You can create up to 50 custom actions.
- If you created cross-Region aggregation and manage finding from the aggregation Region, create custom actions in that Region.
For more information, see Findings in AWS Security Hub.