Skip to main content
Amazon Security Hub

Centralize AWS security with Security Hub and automate remediation using Torq to streamline and secure your cloud environment.

Updated over 7 months ago

Amazon Security Hub is a centralized security service that enables AWS users to aggregate and prioritize their security findings and alerts from various AWS services and, in some cases, third-party products. It offers a comprehensive view of the security posture of the AWS environment and facilitates quick remediation actions.

Automate Security Hub Events with Torq

  • Data from other AWS services and, in some cases, third-party services pour into Security Hub.

  • Based on your configurations, findings (events) are sent from Security Hub to EventBridge.

  • Based on your rules for an SNS topic, EventBridge will send events to SNS.

An image showing how Amazing Security Hub, Event bridge, and other services work with Torq.

Create an SNS Integration in Torq

The SNS integration is a unique webhook (Torq URL) you'll add to the SNS topic. This way, SNS knows where to send topics. The topics are ingested into Torq as JSON events.

  1. Go to Build > Integrations > Triggers > Amazon SNS, and click Add.

  2. Enter a meaningful name for the integration.

    1. (Optional) Add authentication headers to secure the webhook.

  3. Click Add.

Create a New SNS Topic and Subscription

Check out the Amazon documentation for detailed information and instructions.

When you configure the topic, make sure to use these configurations.

  • In the Endpoint field, paste the webhook URL you generated earlier.

  • Select the Enable raw message delivery check box.

Screenshot showing where to enter the webhook URL and which check box to select for the topic.

Create an EventBridge Rule

An Amazon EventBridge rule specifies a pattern that matches events generated by AWS services or custom applications and routes them to one or more target destinations. An Amazon SNS (Simple Notification Service) topic is one of the target destinations that can be specified for an EventBridge rule.

When an EventBridge rule is configured to send events to an SNS topic, any events that match the specified pattern are delivered to the SNS topic. The SNS topic then sends notifications to all of its subscribed endpoints

By using EventBridge rules to route events to SNS topics, developers can create event-driven architectures that allow different components of their applications to communicate and respond to changes or updates in real-time. For example, an EventBridge rule could be configured to send notifications to an SNS topic whenever a new item is added to an Amazon S3 bucket. This could trigger a Torq workflow that interacts with the bucket owner and the user who added the item and remediates accordingly.

  1. In the Get started section, select EventBridge Rule and click Create Rule.

    A screenshot showing how to create an EventBridge rule.
  2. Replicate these settings, but make sure to change the name and other custom fields as required.

    1. Define Rule Detail:

      1. Enable Rule on the selected event bus

      2. Choose the Rule with an event pattern type

        A screenshot showing how to set up a rule detail.
    2. Build Event Pattern:

      1. Event Source: AWS events or EventBridge partner events

      2. Sample Event: AWS events

      3. Creation Method: Use pattern form

      4. Event Pattern:

        1. Source: AWS Services

        2. Service: Security Hub

        3. Event Type: All Events

        4. Event Pattern:

          {   "source": ["aws.securityhub"],   "detail": {     "findings": {       "Severity": {         "Label": ["LOW", "MEDIUM", "HIGH", "CRITICAL"]       }     }   } }
          amazong-security-hub-eventbridge-event-pattern

    3. Select Targets:

      1. Target Types: AWS service

      2. Select a target: SNS topic

Screenshot showing how to configure where to send EventBridge findings to, such as an SNS topic.

Use in Torq

The Amazon SNS integration you created earlier and selected as the trigger for the test workflow should receive security findings from Amazon Security Hub.

Go to the workflow, click the Amazon SNS trigger, and go to Event Log.

amazon-security-hub-event-log

Sample Event JSON

{
  "account": "0123456789012",
  "detail": {
    "findings": [
      {
        "AwsAccountId": "0123456789012",
        "CompanyName": "AWS",
        "Compliance": {
          "AssociatedStandards": [
            {
              "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
            }
          ],
          "SecurityControlId": "S3.13",
          "Status": "FAILED"
        },
        "CreatedAt": "2023-03-22T18:09:55.469Z",
        "Description": "This control checks if a lifecycle policy is configured for an S3 bucket. This control fails if the lifecycle policy is not configured for an S3 bucket.",
        "FindingProviderFields": {
          "Severity": {
            "Label": "LOW",
            "Normalized": 1,
            "Original": "LOW"
          },
          "Types": [
            "Software and Configuration Checks/Industry and Regulatory Standards"
          ]
        },
        "FirstObservedAt": "2023-03-22T18:09:55.469Z",
        "GeneratorId": "security-control/S3.13",
        "Id": "arn:aws:securityhub:us-east-3:0123456789012:security-control/S3.13/finding/653eaaba-04fe-42cb-928a-3b6696c89e78",
        "LastObservedAt": "2023-03-22T18:10:11.114Z",
        "ProcessedAt": "2023-03-22T18:10:16.499Z",
        "ProductArn": "arn:aws:securityhub:us-east-3::product/aws/securityhub",
        "ProductFields": {
          "RelatedAWSResources:0/name": "securityhub-s3-lifecycle-policy-check-057dba00",
          "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
          "Resources:0/Id": "arn:aws:s3:::aws-cloudtrail-logs-xxxxxxxxx-xxxxxx",
          "aws/securityhub/CompanyName": "AWS",
          "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-3::product/aws/securityhub/arn:aws:securityhub:us-east-3:0123456789012:security-control/S3.13/finding/653eaaba-04fe-42cb-928a-3b6696c89e78",
          "aws/securityhub/ProductName": "Security Hub",
          "aws/securityhub/annotation": "Found no bucket lifecycle configuration rules."
        },
        "ProductName": "Security Hub",
        "RecordState": "ACTIVE",
        "Region": "us-east-3",
        "Remediation": {
          "Recommendation": {
            "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
            "Url": "https://docs.aws.amazon.com/console/securityhub/S3.13/remediation"
          }
        },
        "Resources": [
          {
            "Details": {
              "AwsS3Bucket": {
                "CreatedAt": "2023-03-22T18:06:13.000Z",
                "OwnerId": "123456789012345678901234567890"
              }
            },
            "Id": "arn:aws:s3:::aws-cloudtrail-logs-012345678901-559cd158",
            "Partition": "aws",
            "Region": "us-east-3",
            "Type": "AwsS3Bucket"
          }
        ],
        "SchemaVersion": "2018-10-08",
        "Severity": {
          "Label": "LOW",
          "Normalized": 1,
          "Original": "LOW"
        },
        "Title": "S3 buckets should have lifecycle policies configured",
        "Types": [
          "Software and Configuration Checks/Industry and Regulatory Standards"
        ],
        "UpdatedAt": "2023-03-22T18:09:55.469Z",
        "Workflow": {
          "Status": "NEW"
        },
        "WorkflowState": "NEW"
      }
    ]
  },
  "detail-type": "Security Hub Findings - Imported",
  "id": "123456-1223456-123456-123456",
  "region": "us-east-3",
  "resources": [
    "arn:aws:securityhub:us-east-3::product/aws/securityhub/arn:aws:securityhub:us-east-3:0123456789012:security-control/S3.13/finding/653eaaba-04fe-42cb-928a-3b6696c89e78"
  ],
  "source": "aws.securityhub",
  "time": "2023-03-22T18:10:20Z",
  "version": "0"
}
Did this answer your question?