- Newest
- Most votes
- Most comments
Hello,
Thank you for your query. Please find the answers/suggestions to your questions :-
-
For each of the X AWS Accounts I want the conformance pack to run with updated findings once a day. - You can change the Default recording from AWS config Settings page. Change it from "Continuous Recording" to "Daily Recording"
-
Once Conformance pack findings are running once a day for each of the X AWS Accounts I want to dump findings report into csv file in centralized S3 bucket in Audit Account. - You can use an existing solution from AWS Samples github repo to export the Security hub findings to a S3 bucket - https://github.com/aws-samples/aws-security-hub-findings-export
Please note - the lambda function in this solution uses python3.7 and Python 3.7 has been deprecated. If you try to deploy this solution , it will fail. You will have to modify the code to leverage Python 3.12 to deploy this using cloudformation.
Hope this gives you a direction on how to export these findings to S3 buckets.
Regards,
Hi,
Yes, you can achieve this requirement by using a combination of AWS service - Step Functions, AWS Lambda and AWS Config API. Here's a high-level approach you can follow:
-
Set up a Centralised Lambda Function
- Create a Lambda function in your Audit Account.
- This Lambda function will interact with the AWS Config API to retrieve the conformance pack evaluation results for each of the X AWS accounts and their respective regions (us-east-1, us-east-2, us-west-1, and us-west-2).
- The Lambda function should use the
describe_conformance_pack_status
API (Refer Link ) to fetch the evaluation results for the CIS AWS Foundations Benchmark and NIST 800-35 conformance packs. - The function should then process the evaluation result and generate a CSV report. [Output can be in JSON, text or table. You can use Python libraries in Lambda to convert them to csv. ]
-
Set up a Step Functions State Machine
- Create a Step Functions state machine in your Audit Account.
- This state machine will orchestrate the execution of the centralised Lambda function for each of the X AWS accounts and their respective regions.
- The state machine can have parallel branches to invoke the Lambda function concurrently for different accounts and regions.
- The state machine can include error handling and retry mechanisms for failed invocations
-
Schedule the Step Functions State Machine
- Create a CloudWatch Events rule in your Audit Account to trigger the Step Functions state machine once a day (or at your desired frequency).
- This CloudWatch Events rule can be a scheduled event (e.g., cron expression) or based on a specific time of day.
-
Store the CSV Report in S3
- In your centralised Lambda function, include code to upload the generated CSV report to an S3 bucket in your Audit Account.
- You can create a dedicated S3 bucket or use an existing one, depending on your requirements.
- Ensure that the Lambda function has the necessary permissions to write to the S3 bucket.
By following this approach, you don't need to interact with the Security Hub API directly. The conformance pack evaluation results are available through the AWS Config API, and you can leverage that to retrieve the findings and generate the CSV report.
However, if you need to integrate with Security Hub for additional functionality or reporting, you can consder using the Security Hub API in addition to the AWS Config API.
Here are some relevant AWS documentation links for reference:
- AWS Config describe_conformance_pack_status
- AWS Lambda execution role
- AWS Step Functions
- CloudWatch Events scheduled rules
- AWS Security Hub API reference
Hope it’ll help.
Thanks..
Relevant content
- asked a year ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago