Terraform code that creates a solution for sending emails with Security Hub Findings. It implements the following resources:
- EventBridge Event Rule --> Two Events Rule. One for monitoring Security Hub Findings and one for executing daily deletion of resolved findigns.
- Step Function --> Serverless workflow for analyzing all the findings registered in Security Hub.
- Lambda Function --> Four Lambda Function. Three of them are integrated into Step Functions and the other is for daily execution.
- DynamoDB Table --> Table that keeps records of all active findings.
- Cloudwatch Log Group --> Log Groups containing Lambda execution logs.
- IAM Role --> Six IAM Roles for handling Lambda, DynamoDB and Step Functions Permissions.
- SES Identity --> Verified identities for sending and receiving the findings emails.
-
An Event Rule monitors Security Hub Findings. These Findings are filtered by source service. Currently this solution supports findings originated in Security Hub (CIS and Foundational benchmarks), GuardDuty and Inspector.
-
When the Event Rule detects an Event it triggers a Step Function State Machine Workflow.
-
If the Finding is new or if it has been active for more than 15 days, it sends an Email to Operations, extracting the most important attributes of the json event and formatting the email in HTML, to make it more human readable.
-
Additionally, a lambda is run on a daily basis checking, for each item in the dynamodb table, whether it is still active in the security hub or not. If it is no longer active, it removes the item from the table.
Security Hub alerts for each finding of the services you have integrated but the same finding can be logged several times before being resolved so if you send an email to the support team for each finding, they will find duplicate findings so, to avoid spam, I have set up a workflow with step functions to alert only about findings that are not repeated and are still active.
- The first Lambda Function checks if the finding item is in the DynamoDB table. If it is not there, it means it is a new finding so it adds the item to the table, sends the event to the next Lambda which will parse the event in HTML and send it to the operations teams via SES.
- If the item exists it means that the finding is duplicated and it is still active in Security Hub so another Lambda Function is executed to check if the finding has been active for more than 15 days. If yes, it execute de parse HTML Lambda to notify the support team and if the finding has been active for less than 15 days, it does noting.
-
Clone the repository
$ git clone https://github.com/lorenzocampo/alerting-securityhub-findings.git
-
Initialize a working directory containing Terraform configuration files:
$ terraform init
-
Create an execution plan, which lets you preview the changes that Terraform plans to make to your infrastructure
$ terraform plan
-
Executes the actions proposed in a Terraform plan
$ terraform apply