Questions tagged with AWS Security Hub

i was using input transformer to have specific key value but I got stuck while fetch one key value i.e Id in resources , if you can refer sample event there on below id key is there and I want to fetch value for that key value, if anyone can help me here please. i tried , "id": ""$.detail.findings[0].Resource.id" but this didn't worked.lg...

Hi, recently start exploring about security hub, but I was just wondering, is it possible to through anyway if we can receive an email for a particular test case if the compliance status for that test case changes to failed? for eg: one test case from foundation best practice, that no EC2 instance should alot with public IP. so I want to get an alert if this test case gets failed, as someone launched an instance with public IP. So if there is any way possible to achieve this, please let me know, any kind of help will be appreciable.lg...

Hi, I am following step by step instructions to build AWS Security Hub analytic pipeline and visualize Security Hub data using the link : https://aws.amazon.com/blogs/security/how-to-build-a-multi-region-aws-security-hub-analytic-pipeline/ The CDK solution provided in the above link is only retrieving Securityhub findings but not the insights. We would like to see the insights as well on the Quicksight dashboard. Could you please advise on how to go about that. Thank youlg...

Security Hub uses v1.2.0 of the CIS AWS Foundations Benchmark. The latest release of this CIS benchmark is v1.5.0. Are there any current plans to update the standard to a newer version? If so, any idea when it might be ready for production?lg...

Hi All, Ive a quick question re: the timings of findings being generated and being accessible in AWS Security Hub via GuardDuty. Without giving away the trade secrets, Im guessing there various step that take place from the point there is suspicious activity to it being available via the SecurityHub API. Im guessing the steps would be: 1. Suspicious activity on the account taking place 2. GuardDuty observes and stores this finding 3. GuardDuty then passes this to Security Hub or does Security Hub have the same access to the GuardDuty repository (therefore does it get I the same time as GuardDuty finds it?) 4. Available to be pulled via the findings API What are the timeframes of these steps? Im trying to understand how quickly I can access the finding from the point the suspious activity happened. Thanks all.lg...

want to know how can we add our custom security checks in security hublg...

https://aws.amazon.com/blogs/security/how-to-set-up-a-recurring-security-hub-summary-email/ I have been following the steps in the link above but its still not working when i check cloud formation I see that it says create failed next to SendSecurityHubSummaryEmailLambda and i get the following error Resource handler returned message: "Error occurred while GetObject. S3 Error Code: NoSuchKey. S3 Error Message: The specified key does not exist. (Service: Lambda, Status Code: 400. Seems like everything else create smoothly but this part. wondering what am I missing. Thank youlg...

I have this recurring Security Hub email setup in all my accounts and they have been working great. I followed the directions from this AWS Security blog post- https://aws.amazon.com/blogs/security/how-to-set-up-a-recurring-security-hub-summary-email/ Just this past weekend I got a notification that AWS is going end of support for Node.js 12 runtime. After some tracking down, I found out that this function which sends the email is using Node.js 12. I am not a developer and cannot recreate this in Node.js 16, as is required by the AWS warning email. Since this is from AWS employees, will someone be updating this so that it doesnt go unsupported (maintenance and patching will end) by the AWS Lambda team?lg...

please has anyone been able to create a dynamic dashboard from securityhub that is executive presentable. i need help with that... what i have is currently not working .lg...

I have SecurityHub setup in a central account but keep getting logs where its getting AccessDenied when trying to preform a config:GetComplianceDetailsByConfigRule on resources that security hub itself has setup. One example of the error is the following: ``` "eventSource": "config.amazonaws.com", "eventName": "GetComplianceDetailsByConfigRule", "awsRegion": "eu-west-2", "sourceIPAddress": "securityhub.amazonaws.com", "userAgent": "securityhub.amazonaws.com", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::{accountID}:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: config:GetComplianceDetailsByConfigRule on resource: securityhub-s3-bucket-logging-enabled-1b6b206d because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action", "requestParameters": null, "responseElements": null, ``` Has anyone had this issue before and know of a fix to stop getting UnauthorizedAPICalls alerting?lg...

I see you can enable pre defined security conformance packs like CIS, AwS foundational or PCI via both aws config and security hub is there any difference in enabling them from one or other? can we enable them via security hub only and leave the conformance pack deactivated in config?lg...

trying to understand relationship between security hub and guard duty in aws organisation sub account If GuardDuty is enabled on organisation member account B and security hub is enabled on organisation master/delegated admin account A than will the master account A recieve findings from account B even if we don't enable guard duty in master account?lg...