The AWS Secure Environment Accelerator is a tool designed to help deploy and operate secure multi-account, multi-region AWS environments on an ongoing basis. The power of the solution is the configuration file which enables the completely automated deployment of customizable architectures within AWS without changing a single line of code.
Apache License 2.0
725
stars
233
forks
source link
[BUG][Functional] Security Hub notification emails being sent for notified, resolved and suppressed findings #1184
Bug reports which fail to provide the required information will be closed without action.
Required Basic Info
Accelerator Version: v1.5.7-b
Install Type: Upgrade
Upgrade from version: v1.5.6-a
Describe the bug
Email notification messages based on Security Hub findings are being sent out based on findings which have a workflow status of "Notified", "Suppressed" and "Resolved".
Failure Info
We are currently receiving email notifications about Security Hub findings which have been previously reviewed and addressed and are marked with a status of "Notified", "Suppressed" and "Resolved". Accelerator version v1.5.6-a appears to have resolved an issue with email notifications not being sent out. As a result of this fix a larger number of email notification are being sent out daily and the majority of these messages are in regards to findings which have already been addressed.
Steps To Reproduce
Mark a security hub finding as "Notified", "Suppressed" or "Resolved"
Wait 24hrs and check the email inbox configured to receive security hub notification messages and confirm that an email has been received in regards to the finding that was updated.
Expected behavior
Email notifications should only be sent for Security Hub findings marked with a workflow status of "NEW" or the ASEA config should provide the ability to filter on desired workflow status.
Additional context
Security Hub Findings are sent out through the use of AWS EventBridge rules (e.g. SecurityHubFindingsImportHigh_rule). The event pattern currently used is:
{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"Severity": {
"Label": ["HIGH", "CRITICAL"]
}
}
}
}
The desired event pattern would include the workflow status:
{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"Severity": {
"Label": ["HIGH", "CRITICAL"]
},
"Workflow": {
"Status": ["NEW"]
}
}
}
}
archikierstead
commented
10 months ago
Bug reports which fail to provide the required information will be closed without action.
Required Basic Info
Describe the bug Email notification messages based on Security Hub findings are being sent out based on findings which have a workflow status of "Notified", "Suppressed" and "Resolved".
Failure Info
Steps To Reproduce
Expected behavior Email notifications should only be sent for Security Hub findings marked with a workflow status of "NEW" or the ASEA config should provide the ability to filter on desired workflow status.
Additional context Security Hub Findings are sent out through the use of AWS EventBridge rules (e.g. SecurityHubFindingsImportHigh_rule). The event pattern currently used is: { "source": ["aws.securityhub"], "detail-type": ["Security Hub Findings - Imported"],
"detail": { "findings": { "Severity": { "Label": ["HIGH", "CRITICAL"] } } } }
The desired event pattern would include the workflow status: { "source": ["aws.securityhub"], "detail-type": ["Security Hub Findings - Imported"], "detail": { "findings": { "Severity": { "Label": ["HIGH", "CRITICAL"] }, "Workflow": { "Status": ["NEW"] } } } }