Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve AWS Security Hub Documentation #7588

Closed
ncvicchi opened this issue Jul 29, 2024 · 2 comments · Fixed by #7649
Closed

Improve AWS Security Hub Documentation #7588

ncvicchi opened this issue Jul 29, 2024 · 2 comments · Fixed by #7649
Assignees
@nico-stefani
Labels
Documentation improvements Documentation improvements level/task Task issue type/enhancement Enhancement issue

Comments

@ncvicchi
Copy link
Contributor

Description

While working on Release 4.9.0 - Alpha 3 - E2E UX tests - Amazon Security Hub #24869, provided documentation for 4.9.0-alpha3 on configuring and setting AWS Security Hub presented a great deal of troubles, inhibiting from successfully implementing the configuration and thus allowing to pass the test successfully.

The document seems to be focused on experienced AWS users, where many concepts are assumed to be known, and many links to AWS documentation are provided, generating a lot of effort to accomplish a simple task that would be easier to configure if examples were provided.

It would be a lot easier for any user if the documentation provided examples and eventually references other documentation to learn more on the subject, but not to implement the feature itself.

Discarding regex option was not even possible to be tested since no event generation procedure was available (this might be a documentation or E2E design issue).

More details are provided in the Feedback section of the E2E issue, as well as in the comments.
@ncvicchi ncvicchi added Documentation improvements Documentation improvements type/enhancement Enhancement issue level/task Task issue labels Jul 29, 2024
@ncvicchi ncvicchi mentioned this issue Jul 29, 2024
Closed
2 tasks
@wazuhci wazuhci moved this to Triage in Release 4.9.0 Jul 29, 2024
@juliamagan juliamagan mentioned this issue Jul 30, 2024
Closed
@wazuhci wazuhci moved this from Triage to Backlog in Release 4.9.0 Jul 31, 2024
@nico-stefani nico-stefani self-assigned this Aug 7, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 4.9.0 Aug 7, 2024
@nico-stefani
Copy link
Member

Update

I've been reviewing the documentation section and I noted some items that we could improve.

These are the suggestions:

  • Add a diagram showing the AWS architecture, for this use case, and how are the interactions with Wazuh
  • Highlight the pre-requisites section

    wazuh-documentation/source/cloud-security/amazon/services/supported-services/security-hub.rst

    Line 35 in 3166327

    AWS Security Hub uses service-linked AWS Config rules to perform security checks for most controls. We advise to `configure AWS Config <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-setup-prereqs.html#securityhub-prereq-config>`_ as a prerequisite.
  • Include the IAM policies as a code block

    wazuh-documentation/source/cloud-security/amazon/services/supported-services/security-hub.rst

    Lines 49 to 50 in 3166327

    - `AWSSecurityHubFullAccess <https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubfullaccess>`__ to access the Security Hub console and API operations.
    - `AWSSecurityHubOrganizationsAccess <https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhuborganizationsaccess>`__ to enable and manage the Security Hub through the Organizations integration.
  • Give more relevance to the EventBridge configuration section

    wazuh-documentation/source/cloud-security/amazon/services/supported-services/security-hub.rst

    Lines 73 to 82 in 3166327

    To integrate Security Hub with EventBridge, you need to create the following:
    - A Firehose stream in Amazon Data Firehose
    - An event rule in EventBridge
    EventBridge needs a target such as the Firehose stream. It triggers the target when it receives an event matching an event pattern. The event pattern is defined in the rule.
    The AWS documentation provides steps on how to configure the rule.
    - `Creating an event rule for automatically sent findings <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-all-findings.html#securityhub-cwe-all-findings-predefined-pattern>`__
    - `Defining a rule for using custom actions to send findings and insight results <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-custom-actions.html#securityhub-cwe-define-rule>`__
  • Include the configurations examples directly instead of pointing to WAF

    wazuh-documentation/source/cloud-security/amazon/services/supported-services/security-hub.rst

    Line 84 in 3166327

    Check the :doc:`Amazon WAF integration <waf>` for a configuration example.
  • Include a link to the SQS creation page and maybe add some images of the procedure

    wazuh-documentation/source/cloud-security/amazon/services/supported-services/security-hub.rst

    Lines 86 to 117 in 3166327

    Amazon Simple Queue Service
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
    #. Set up a *Standard* type SQS Queue with the default configurations. You can apply an Access Policy similar to the following example, where ``<region>``, ``<account-id>``, and ``<s3-bucket>`` are the region, account ID, and the name you are going to provide to the S3 bucket.
    .. code-block:: json
    {
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
    {
    "Sid": "example-access-policy",
    "Effect": "Allow",
    "Principal": {
    "Service": "s3.amazonaws.com"
    },
    "Action": "SQS:SendMessage",
    "Resource": "arn:aws:sqs:<region>:<account-id>:<s3-bucket>",
    "Condition": {
    "StringEquals": {
    "aws:SourceAccount": "<account-id>"
    },
    "ArnLike": {
    "aws:SourceArn": "arn:aws:s3:*:*:<s3-bucket>"
    }
    }
    }
    ]
    }
    You can make your access policy to accept S3 notifications from different account IDs and to apply different conditions. More information in `Managing access in Amazon SQS <https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html>`_.
  • Include images for the S3 and Event Notifications section

    wazuh-documentation/source/cloud-security/amazon/services/supported-services/security-hub.rst

    Lines 119 to 128 in 3166327

    Amazon S3 and Event Notifications
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    To configure an S3 bucket that reports creation events, do the following.
    #. Configure an S3 bucket as defined in the :doc:`Configuring an S3 Bucket <../prerequisites/S3-bucket>` section. Provide the name you decided in the previous section.
    #. Once created, go to **Event notifications** inside the **Properties** tab. Select **Create event notification**.
    #. In **Event Types**, select **All object create events**. This generates notifications for any type of event that results in the creation of an object in the bucket.
    #. In the **Destination** section, select **SQS queue**.
    #. Select **Choose from your SQS queues**. Then, choose the queue you created previously.

Before implementing these items I'll put them in common with the documentation team to get feedback from them.

@nico-stefani
Copy link
Member

nico-stefani commented Aug 7, 2024
edited
Loading

Update

After discussing the proposed items we decide to continue with:

  • Include the IAM policies as a code block
  • Move the EventBridge explanation to the introduction section
  • Explain what to find in the WAF link
  • Add screenshots for the SQS procedure
  • Add screenshots for the S3 procedure

@nico-stefani nico-stefani mentioned this issue Aug 8, 2024
Merged
7 tasks
@nico-stefani nico-stefani linked a pull request Aug 8, 2024 that will close this issue
Improve security hub docs #7649
Merged
7 tasks
@wazuhci wazuhci moved this from In progress to Pending review in Release 4.9.0 Aug 8, 2024
@wazuhci wazuhci moved this from Pending review to On hold in Release 4.9.0 Aug 8, 2024
@wazuhci wazuhci moved this from On hold to In progress in Release 4.9.0 Aug 8, 2024
@wazuhci wazuhci moved this from In progress to Pending final review in Release 4.9.0 Aug 8, 2024
@wazuhci wazuhci moved this from Pending final review to Done in Release 4.9.0 Aug 8, 2024
@Ifex370 Ifex370 mentioned this issue Aug 14, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nico-stefani nico-stefani

Labels
Documentation improvements Documentation improvements level/task Task issue type/enhancement Enhancement issue
Projects
No open projects
Release 4.9.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve security hub docs wazuh/wazuh-documentation
2 participants
@nico-stefani @ncvicchi