Overview

A configuration package to enable AWS Security Hub in an AWS account including service prerequisites and notification. AWS Security Hub turns on CIS AWS Foundations Compliance Standards by default. In addition to setting up AWS Security Hub, this package includes:

  • To enable Compliance Standards in Security Hub (e.g. CIS AWS Foundations), AWS Config must be enabled as well.
  • Configure findings notifications using a CloudWatch Event Rule to match on Security Hub findings and send notifications to an SNS topic (make sure to update the email address from email@example.com).

Configure & Deploy

Configuration Presets

  • Presumes that AWS Config is already enabled in the AWS account
  • Creates an SNS Topic to configure destination for Security Hub notifications. Default email address is email@example.com
  • Creates a CloudWatch Event Rule which forwards findings to SNS

Configuration Template

EDIT
EDIT
EDIT
EDIT
Items
4
Size
1.9 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  SecurityHub:
    Type: 'AWS::SecurityHub::Hub'
    Properties: {}
  SnsTopic1:
    Type: 'AWS::SNS::Topic'
    Properties:
      Subscription:
        - Endpoint: email@example.com
          Protocol: email
      TopicName: sns-topic
  CwEvent1:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: detect-securityhub-finding
      Description: >-
        A CloudWatch Event Rule that triggers on AWS Security Hub findings. The
        Event Rule can be used to trigger notifications or remediative actions
        using AWS Lambda.
      State: ENABLED
      Targets:
        - Arn:
            Ref: SnsTopic1
          Id: target-id1
      EventPattern:
        detail-type:
          - Security Hub Findings - Imported
        source:
          - aws.securityhub
  SnsTopicPolicy:
    Type: 'AWS::SNS::TopicPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: '*'
            Action:
              - 'SNS:GetTopicAttributes'
              - 'SNS:SetTopicAttributes'
              - 'SNS:AddPermission'
              - 'SNS:RemovePermission'
              - 'SNS:DeleteTopic'
              - 'SNS:Subscribe'
              - 'SNS:ListSubscriptionsByTopic'
              - 'SNS:Publish'
              - 'SNS:Receive'
            Resource:
              Ref: SnsTopic1
            Condition:
              StringEquals:
                'AWS:SourceOwner':
                  Ref: 'AWS::AccountId'
          - Sid: TrustCWEToPublishEventsToMyTopic
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              Ref: SnsTopic1
      Topics:
        - Ref: SnsTopic1
Parameters: {}
Metadata: {}
Conditions: {}