Automated Security Response on AWS is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. The solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.
The Amazon Eventbridge rules for CIS 1.4.0 framework that are enabled to start the Automated Response and triggered after matching the AWS Security Hub event have a key "GeneratorID" that, according to the event pattern, expects an ARN value, but the actual value is not an ARN. This means the event pattern rule does not match and subsequently the event is not triggered and the remediation does not occur.
For example, the CIS 1.4.0. framework rule ID 2.1.2 event has an actual GeneratorID cis-aws-foundations-benchmark/v/1.4.0/2.1.2 whereas the Amazon Eventbridge rule is expecting arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0/rule/2.1.2.
To Reproduce
Enable the automated remediation for CIS 1.4.0 findings and they will not occur as the event rule patterns are not matching the actual events.
Please complete the following information about the solution:
[ ] Version: v2.0.1 release
To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0". You can also find the version from releases
[ ] Region: eu-west-1
[ ] Was the solution modified from the version published on this repository? No
[ ] If the answer to the previous question was yes, are the changes available on GitHub?
[ ] Have you checked your service quotas for the services this solution uses? Yes - not relevant
[ ] Were there any errors in the CloudWatch Logs? Troubleshooting No errors
Screenshots
This is what the current non-matching Amazon Eventbridge rule looks like:
Additional context
I have only tested this with CIS 1.4.0 security framework which is where I found the issue.
Describe the bug
The Amazon Eventbridge rules for CIS 1.4.0 framework that are enabled to start the Automated Response and triggered after matching the AWS Security Hub event have a key "GeneratorID" that, according to the event pattern, expects an ARN value, but the actual value is not an ARN. This means the event pattern rule does not match and subsequently the event is not triggered and the remediation does not occur.
For example, the CIS 1.4.0. framework rule ID 2.1.2 event has an actual GeneratorID
cis-aws-foundations-benchmark/v/1.4.0/2.1.2
whereas the Amazon Eventbridge rule is expectingarn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0/rule/2.1.2
.To Reproduce
Enable the automated remediation for CIS 1.4.0 findings and they will not occur as the event rule patterns are not matching the actual events.
Expected behavior
Amazon Eventbridge rule matches Security Hub finding pattern and triggers remediation.
Please complete the following information about the solution:
To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0". You can also find the version from releases
Screenshots This is what the current non-matching Amazon Eventbridge rule looks like:
Additional context I have only tested this with CIS 1.4.0 security framework which is where I found the issue.