AWS Conformance Packs Findings

0

Hi AWS, I am working on a requirement set where:

  1. There are X AWS Accounts, with Security Hub deployed in management account Audit Account.
  2. AWS Config has been enabled in us-east 1, us-east-2, us-west-1 and us-west-2 and Conformance Packs CIS AWS Foundations Benchmark and NIST 800-35 in all four regions for all X AWS Accounts.
  3. For each of the X AWS Accounts I want the conformance pack to run with updated findings once a day.
  4. Once Conformance pack findings are running once a day for each of the X AWS Accounts I want to dump findings report into csv file in centralized S3 bucket in Audit Account.

Will writing centralized lambda function triggered by Step Functions state machine once a day using CW Events Rule will solve the purpose? Also do I need to interact with Security Hub or AWS Config API(s) as I can see those two conformance packs findings under the Security standards option of Security Hub with number of passed (✅) and failed (❌) findings.

Please guide.

2 Answers
0

Hello,

Thank you for your query. Please find the answers/suggestions to your questions :-

  1. For each of the X AWS Accounts I want the conformance pack to run with updated findings once a day. - You can change the Default recording from AWS config Settings page. Change it from "Continuous Recording" to "Daily Recording"

  2. Once Conformance pack findings are running once a day for each of the X AWS Accounts I want to dump findings report into csv file in centralized S3 bucket in Audit Account. - You can use an existing solution from AWS Samples github repo to export the Security hub findings to a S3 bucket - https://github.com/aws-samples/aws-security-hub-findings-export

Please note - the lambda function in this solution uses python3.7 and Python 3.7 has been deprecated. If you try to deploy this solution , it will fail. You will have to modify the code to leverage Python 3.12 to deploy this using cloudformation.

Hope this gives you a direction on how to export these findings to S3 buckets.

Regards,

answered 3 months ago
0

Hi,

Yes, you can achieve this requirement by using a combination of AWS service - Step Functions, AWS Lambda and AWS Config API. Here's a high-level approach you can follow:

  1. Set up a Centralised Lambda Function

    • Create a Lambda function in your Audit Account.
    • This Lambda function will interact with the AWS Config API to retrieve the conformance pack evaluation results for each of the X AWS accounts and their respective regions (us-east-1, us-east-2, us-west-1, and us-west-2).
    • The Lambda function should use the describe_conformance_pack_status API (Refer Link ) to fetch the evaluation results for the CIS AWS Foundations Benchmark and NIST 800-35 conformance packs.
    • The function should then process the evaluation result and generate a CSV report. [Output can be in JSON, text or table. You can use Python libraries in Lambda to convert them to csv. ]
  2. Set up a Step Functions State Machine

    • Create a Step Functions state machine in your Audit Account.
    • This state machine will orchestrate the execution of the centralised Lambda function for each of the X AWS accounts and their respective regions.
    • The state machine can have parallel branches to invoke the Lambda function concurrently for different accounts and regions.
    • The state machine can include error handling and retry mechanisms for failed invocations
  3. Schedule the Step Functions State Machine

    • Create a CloudWatch Events rule in your Audit Account to trigger the Step Functions state machine once a day (or at your desired frequency).
    • This CloudWatch Events rule can be a scheduled event (e.g., cron expression) or based on a specific time of day.
  4. Store the CSV Report in S3

    • In your centralised Lambda function, include code to upload the generated CSV report to an S3 bucket in your Audit Account.
    • You can create a dedicated S3 bucket or use an existing one, depending on your requirements.
    • Ensure that the Lambda function has the necessary permissions to write to the S3 bucket.

By following this approach, you don't need to interact with the Security Hub API directly. The conformance pack evaluation results are available through the AWS Config API, and you can leverage that to retrieve the findings and generate the CSV report.

However, if you need to integrate with Security Hub for additional functionality or reporting, you can consder using the Security Hub API in addition to the AWS Config API.

Here are some relevant AWS documentation links for reference:

Hope it’ll help.

Thanks..

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions