Quickie: Enable Custodian/SecHub integration
I had to look 4 places to get this together, so I think it is worth documenting here.
Your Custodian IAM role will require a new action:
"securityhub:BatchImportFindings"If you're using the CloudTrail mode, your Custodian policy will require some new features: this one goes in the
mode:section
packages: [boto3, botocore, urllib3]
And this is your new action:
- type: post-finding
severity_label: INFORMATIONAL #see below for explanation
types:
- "Software and Configuration Checks/AWS Security Best Practices"
- Finally, you need to enable the integration in SecHub. This script will enable it in all regions. If you dont use all regions, comment out the first
regions, and uncomment the second. And dont forget to modify that array to include the regions you use!
#!/bin/bash
regions=$(aws ec2 describe-regions | jq '.Regions[].RegionName' | sed s/\"//g)
#regions=(us-east-1 us-west-2)
for region in ${regions[@]}; do
aws securityhub enable-import-findings-for-product --region $region --product-arn "arn:aws:securityhub:$region::product/cloud-custodian/cloud-custodian";
done
Caveats:
- Dont forget to add the
packagesline! without it, Lambda wont be able to write the findings in the correct format. - Valid Severity labels are as follows:
INFORMATIONAL - No issue was found.
LOW - The issue does not require action on its own.
MEDIUM - The issue must be addressed but not urgently.
HIGH - The issue must be addressed as a priority.
CRITICAL - The issue must be remediated immediately to avoid it escalating.