How to use the ResourceTags filter in SecurityHub?

Question

Hi, the SecurityHub dashboard seems to provide a "resource tags" filter, however after entering any tag name and value which I know that some of the resources affected by existing findings have, no results are returned.

The same goes for the API, I tried running the following:
```
aws securityhub get-findings --filters ResourceTags='[{Key=owner,Value=MY_EMAIL,Comparison=EQUALS}]'
```
and no results were returned.

I don't see anything about this in [MapFilter](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_MapFilter.html) and or [AwsSecurityFindingFilters](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFindingFilters.html) docs.

What is the correct way to use this filter?

Accepted Answer

The resource tags filter does not refer to resources contained in the Finding's "Resources" field. As the AWS documentation doesn't really say what it actually refers to, I am not exactly 100% certain, but I believe this refers to tags of the resources that belong to SecurityHub itself.

In the end, I decided to go with a different solution - a Lambda which maps tags from resources contained in the finding to the UserDefinedFields field in the finding. Then, findings can be filtered based on that.

Answer

Sometime since this was first posted it looks like Resource Tags are a thing now.

![Enter image description here](/media/postImages/original/IML9caBEslQcu5TaJa06RZmw)

Answer

I discovered that currently, Security Hub doesn't support the "resource tags" filter.

How to use the ResourceTags filter in SecurityHub?

相关内容