Terraform Module - Security Hub Summarizer

 ·  ☕ 4 min read

This module can be found on Github and Terraform Registry

Background

AWS Security Hub is a pretty useful tool for discovering potential vulnerabilities in your infrastructure.
Recently I was deploying a landing zone through Terraform that included Security Hub and came across an issue regarding how Security Hub notifies the discovery of a new vulnerability.
The current practice is to have an Eventbridge Rule that looks for Security Hub finding events and triggers an SNS.
Here is the event pattern:

1
2
3
4
5
6
7
8
{
  "source" : [
    "aws.securityhub"
  ],
  "detail-type" : [
    "Security Hub Findings - Imported"
  ]
}

This has a critical flaw, however.
Security Hub reruns checks when a relevant resource changes as well as every 12 hours.
For every single check of every resource regardless of if the check passes or fails, an event is created.
Using Security Hub delegated administrator and 5 member accounts led to my inbox being flooded with these event emails.
Totally unacceptable.

A small way to mitigate this is to only trigger the event if the check is a failure.
This can be done by using this event pattern instead:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "Compliance": {
        "Status": ["FAILED"]
      }
    }
  }
}

This is not a perfect solution though.
The email just contains a large and hard to read json and it still sends the event each time the check runs, not just when a new failed check is found.

While there are many different conditions that can be used on the pattern filter, including: specific resources, workflow status (e.g. NEW), severity, etc. there is a better way.
AWS seems to have noticed that this is a problem and has developed a solution.

Initial Solution

AWS’ solution is designed to create a weekly email sent to the security / operations team with a summary of the findings in AWS Security Hub.
It does this by creating a lambda function, an SNS Topic, and Security Hub Insights.
The Insights are used to categorize findings, the lambda function (which is triggered weekly) then collects the results from all the Insights, formats an email, and then publishes it to SNS.
They even have it as a CloudFormation template, check it out here.

AWS’ solution was not a silver bullet for me though, recall that I was deploying using Terraform, I wanted this as a Terraform Module.
Also, the summary email showed summaries for the AWS Best Practice security checks but not for CIS which I was also using (and is enabled by default BTW).

TF Module

Looking around and checking the Terraform Registry I was not able to find exactly what I wanted, so I took some time to develop it myself.

My implementation has additional improvements:

  • Add a header to the email.
  • Add a parameter to customise which insights / summaries and in which order to put them into the email
  • Add insights for the CIS Benchmark findings and a bunch of other integrations
  • Ability to encrypt the SNS topic with a KMS key

The summary currently includes summary points for:

  • AWS Foundational Security Best Practices findings by status
  • AWS Foundational Security Best Practices findings by severity
  • CIS Benchmark findings by compliance status
  • Failed CIS Benchmark findings by severity
  • Health findings by severity
  • Amazon GuardDuty findings by severity
  • Macie findings by severity
  • AWS IAM Access Analyzer findings by severity
  • Trusted Advisor findings by severity
  • Inspector findings by severity
  • Systems Manager Patch Manager findings by severity
  • Systems Manager OpsCenter and Explorer findings by severity
  • Firewall Manager findings by severity
  • Audit Manager findings by severity
  • Detective findings by severity
  • Chatbot findings by severity
  • Unresolved findings by severity
  • New findings in the last 7 days by security product
  • Top 10 resource types with the most findings

Using this module:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
module "securityhub-email" {
  source  = "app.terraform.io/aesop/security-hub-summary-email/aws"
  version = "x.x.x"

  name = "securityhub-summariser"
  additional_email_footer_text = ""
  email                        = "[email protected]"
  schedule                     = "cron(0 8 ? * 2 *)"
  tags = {
    Environment = "Production"
  }
}

Lastly, AWS’s version was licensed under MIT-0, mine is MIT.
This means you can do basically whatever you want with it, modify, copy, sell, create a closed source version, etc.
The only limitation is that the same licence must be attached to your code thus giving attribution to myself.


Kieran Goldsworthy
WRITTEN BY
Kieran Goldsworthy
Cloud Engineer and Architect


What's on this Page