fbpx

Posted on by admin

How exactly to create auto-suppression rules within AWS Security Hub

      AWS Security Hub           offers you a comprehensive view of one's security alerts and security posture across your AWS accounts. With Security Hub, you've got a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services. Security Hub enables you to assign workflow statuses to these findings, which are           NEW          ,           NOTIFIED          ,           SUPPRESSED          , or           RESOLVED          . You're allowed by these statuses to categorize which findings are open and need your attention.

In this website post, we show ways to create automated suppression rules for specific forms of findings in AWS Security Hub, such as for example ones that are a recognized risk by design, or have a compensating control. By automatically suppressing these findings that don’t require follow-up action from your own security team, it is possible to focus on remediating and investigating findings that aren’t yet resolved.

 

For example of a discovering that you might like to suppress, guess that your development environment doesn’t have to have Amazon Virtual Private Cloud (VPC) Flow Logs enabled since it will not contain any sensitive data (that’s, it is a recognized risk). However, your production environment will need to have VPC Flow Logs enabled. You should use this treatment for automatically suppress the development environment findings regarding VPC Flow Logs not being enabled. Then, it is possible to focus on giving an answer to and remediating findings concerning the production environment VPC Flow Logs that aren’t enabled.

An &lt can be used by this solution;a href=”https://aws.amazon.com/eventbridge/” target=”_blank” rel=”noopener noreferrer”>Amazon EventBridge rule to judge Security Hub findings predicated on predefined filters. An AWS Lambda function may be the target of the rule, and is triggered to execute the suppression. The Lambda function calls the Security Hub BatchUpdateFindings API action to create the finding of interest to the SUPPRESSED status.

Prerequisites

This solution assumes that you have Security &lt and Hub;a href=”https://aws.amazon.com/config/” target=”_blank” rel=”noopener noreferrer”>AWS Config enabled in your member and administrator AWS accounts. AWS Config must execute the rules that may generate the findings. You need to enable the &lt also;a href=”https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html” target=”_blank” rel=”noopener noreferrer”>AWS Foundational Security GUIDELINES standard, as the examples in this article on those findings rely. You should make sure that you have configured your administrator account to aggregate your Security Hub findings from across your AWS accounts.

Solution overview

In Security Hub, the status of a study of a finding is tracked utilizing the workflow status attribute. The workflow status for new findings is defined to &lt initially;span>NEW. It is possible to change the workflow status of a finding either by selecting it in the AWS Security Hub console, or by automating the noticeable change of workflow status by using AWS CLI or Security Hub API. Following the owner of the finding’s resource is notified to do this, it is possible to set the workflow status to NOTIFIED. Following a finding is remediated, it is possible to set the workflow status to RESOLVED. If the finding isn’t a concern for the given environment and will not require any action, it is possible to set the workflow status to &lt then;span>SUPPRESSED.

In this solution, we demonstrate how exactly to set the workflow status to &lt automatically;span>SUPPRESSED for expected findings, through the use of EventBridge event patterns that trigger on Security Hub findings that match your defined criteria. The function pattern can match on fields of the findings such as for example account number, AWS Region, and Amazon Resource Names (ARNs). The Lambda function triggers on findings that match all defined criteria, and sets the workflow status to &lt then;span>SUPPRESSED for several matched findings utilizing the BatchUpdateFindings Security Hub API action.

Solution architecture

Figure 1: Solution architecture overview

Figure 1: Solution architecture overview

Figure 1 shows the administrator account aggregating the Security Hub findings from the known member accounts.

  1. Security Hub generates findings in the known member accounts, forwards the findings to the administrator account to be evaluated then.
  2. In the administrator account, Security Hub evaluates every finding (whether generated or forwarded) against EventBridge rules.
  3. In case a finding satisfies the defined EventBridge rule conditions, EventBridge triggers a Lambda function in exactly the same Region. The EventBridge event bus delivers the finding to the Lambda function.
  4. The Lambda function in the administrator account performs the finding suppression evaluation, and sets the Security Hub workflow status of the finding to SUPPRESSED.

This architecture uses one Lambda function per Region. It is possible to group together multiple suppression rules in to the same EventBridge pattern if they apply to exactly the same band of AWS accounts. You can even configure multiple separate EventBridge event patterns whenever a suppression rule shouldn’t connect with a merchant account.

Implementation

First, we show how exactly to write the EventBridge event pattern. You utilize the CDK to define the function pattern and rule. The next example code shall suppress Security Hub findings that originate in the development makes up about VPC flow logs that aren’t enabled. The answer shall filter new findings only.

In the next example, replace and with your personal information.

event_pattern_obj = events.EventPattern(
        source=["aws.securityhub"],
        detail_type=["Security Hub Findings - Imported"],
        detail= 
            "findings": 
                "GeneratorId": [
                    "aws-foundational-security-best-practices/v/1.0.0/EC2.6"
                ],
                "AwsAccountId": [
                    "",
                    ""
                ],
                "Workflow": 
                    "Status": [
                        "NEW"
                    ]
)
 
        Second, you define the EventBridge rule which will match on the defined pattern.

 

        vpc_flow_log_dev_account_event_rule = events.Rule(
                self,
                'vpc-flow-logs-development-account-eventbridge-rule',
                description='VPC flow logs in development account finding suppression',
                rule_name='vpc-flow-logs-development-account-sechub-rule',
                event_pattern=event_pattern_obj
                )

Finally, the EventBridge rule triggers the suppression Lambda function.

      vpc_flow_log_dev_account_event_rule.add_target(lambda_targets.LambdaFunction(security_hub_suppression_lambda))

Solution deployment

It is possible to deploy the perfect solution is through either the AWS Management Console or the AWS Cloud Development Kit (AWS CDK) .

To deploy the answer utilizing the AWS Management Console

In your security account, launch the template by choosing the next Launch Stack button.
Select the Launch Stack button to launch the template

To deploy the perfect solution is utilizing the AWS CDK

You’ll find the most recent code on GitHub , where you are able to donate to the sample code also. The next commands show how exactly to deploy the solution utilizing the AWS CDK. First, the CDK initializes your environment and uploads the Lambda assets to Amazon Simple Storage Service (Amazon S3). Then, it is possible to deploy the solution back. For , specify the account number, or comma separated set of account numbers, that the suppression is wanted by you rule to use to.

     cdk bootstrap

cdk deploy sechub-finding-suppression –parameters GeneratorIds= –parameters AccountNumbers=

To test the answer

  1. Develop a VPC that will not have flow logs enabled. We’ve included a test VPC you could deploy with the next command: 
         cdk deploy vpc-test-suppression
  2. Verify that the Security Hub finding EC2.6 has been suppressed in the parent account and the mark account. You may want to wait a few momemts for the AWS Config recorder to detect the newly created resource and to manually trigger the next AWS Config rule: 
         securityhub-vpc-flow-logs-enabled-*
  3. After verifying the suppression, delete the test VPC you intended to test the suppression rule: 
         cdk destroy vpc-test-suppression

Next steps

It is possible to configure EventBridge patterns and rules to suppress all your findings which are accepted risk, by design, or which have a compensating control. For instance, if you’re performing IAM authentication through the use of Amazon RDS Proxy , you can consider suppressing the control [RDS.10] IAM authentication ought to be configured for RDS instances . It is possible to consider creating event patterns that filter predicated on resource tags also, such as for example filtering VPCs predicated on tags instead of account numbers for [EC2.6] VPC flow logging ought to be enabled in every VPCs .

Summary

In this website post, we showed ways to automatically suppress specific findings utilizing the Security Hub BatchUpdateFindings API action. We showed you how exactly to configure EventBridge patterns and rules to be able to trigger a Lambda function that calls this API action to suppress your expected findings. Following the steps are accompanied by you in this website post for automatic Security Hub suppression, your console view in Security Hub shall only show findings that aren’t suppressed.

When you have feedback concerning this post, submit comments in the Comments section below.

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter .