Open FritjofH opened 3 months ago
Thank you for opening an issue on this. Were you able to make that change after you had downloaded the template and get successfully deployed? Security Hub now has native cloudformation support for custom insights, so my current plan is to refactor this design to not use a cloudformation custom resource (lambda) for the creation of the insights.
Yes, got things working after some tweaking. Had some issues with the cdk version 2 not being found in the lambda which was solved by an upgrade to 3 and this issue. The lambda I deployed looks like this:
var response = require('cfn-response');
const { SecurityHubClient, CreateInsightCommand } = require('@aws-sdk/client-securityhub');
exports.handler = function (event, context) {
if (event.RequestType == 'Delete') {
response.send(event, context, response.SUCCESS);
return;
}
const securityhub = new SecurityHubClient();
var responseData = {};
var index = event.ResourceProperties.insightID
var params = [];
params['0'] = {
Name: 'Summary Email - 01 - AWS Foundational Security Best practices findings by compliance status',
GroupByAttribute: 'ComplianceStatus',
Filters: {
Type: [{ Value: 'Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices', Comparison: 'EQUALS' }]
, WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
}
};
params['1'] = {
Name: 'Summary Email - 02 - Failed AWS Foundational Security Best practices findings by severity',
GroupByAttribute: 'SeverityLabel',
Filters: {
Type: [{ Value: 'Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices', Comparison: 'EQUALS' }]
, WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], ComplianceStatus: [{ Value: 'FAILED', Comparison: 'EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
}
};
params['2'] = {
Name: 'Summary Email - 03 - Count of Amazon GuardDuty findings by severity',
GroupByAttribute: 'SeverityLabel',
Filters: {
ProductName: [{ Value: 'GuardDuty', Comparison: 'EQUALS' }]
, WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
}
};
params['3'] = {
Name: 'Summary Email - 04 - Count of IAM Access Analyzer findings by severity',
GroupByAttribute: 'SeverityLabel',
Filters: {
ProductName: [{ Value: 'IAM Access Analyzer', Comparison: 'EQUALS' }]
, WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
}
};
params['4'] = {
Name: 'Summary Email - 05 - Count of all unresolved findings by severity',
GroupByAttribute: 'SeverityLabel',
Filters: {
WorkflowStatus: [{ Value: 'RESOLVED', Comparison: 'NOT_EQUALS' }, { Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }]
, RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
}
};
params['5'] = {
Name: 'Summary Email - 06 - new findings in the last 7 days',
GroupByAttribute: 'ProductName',
Filters: {
WorkflowStatus: [{ Value: 'RESOLVED', Comparison: 'NOT_EQUALS' }, { Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], CreatedAt: [{ DateRange: { Value: 7, Unit: 'DAYS' } }]
, RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
}
};
params['6'] = {
Name: 'Summary Email - 07 - Top Resource Types with findings by count',
GroupByAttribute: 'ResourceType',
Filters: { WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }] }
};
try {
securityhub.send(new CreateInsightCommand(params[index])).then(result => {
responseData['ARN'] = result.InsightArn;
response.send(event, context, 'SUCCESS', responseData);
});
} catch (err) {
responseData.Error = 'CreateInsight call failed';
console.error(responseData.Error, err);
response.send(event, context, 'FAILED', responseData);
}
}
Should be changed from
'7'
to7
I guess.https://github.com/aws-samples/aws-security-hub-summary-email/blob/3522d09249d01885b98fb96223dfed24902b3b33/security-hub-email-summary-cf-template.json#L211