search

cds-snc / url-shortener

An API written in Python that shortens URLs
MIT License
4 stars 1 forks source link

SecurityHub: onboard to Automation closed beta #115

Closed patheard closed 1 year ago

patheard commented 1 year ago

Description

There's a closed beta available that will allow us to test out SecurityHub automation rules that are scheduled for April 2023.

We will onboard our Security Hub administrator account and URLShortener-Staging accounts to test the feature, especially around auto-suppression of rules.

patheard commented 1 year ago

Onboarding email has been sent to Security Hub PM to get the process started.

patheard commented 1 year ago

Our accounts have been allowlisted and we can start the integration work when we're ready.

patheard commented 1 year ago

Accounts have had the SecurityHub automation model applied.

aws configure add-model \
--service-model file:///absolute/path/to/securityhub-2018-10-26.normal.json \
--service-name securityhub
patheard commented 1 year ago

Added an automation rule to suppress all EBS not encrypted findings with:

# With Log Archive credentials in the terminal
aws securityhub create-automation-rule \
--rule-name "EBS encryption supress" \
--rule-status "ENABLED" \
--rule-order 1 \
--description "EBS encryption is not required by default" \
--criteria '{
"GeneratorId": [{
"Value": "aws-foundational-security-best-practices/v/1.0.0/EC2.7",
"Comparison": "EQUALS"
}],
"ComplianceStatus": [{
"Value": "FAILED",
"Comparison": "EQUALS"
}]
}' \
--actions '[{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Workflow": {
"Status": "SUPPRESSED"
},
"Note": {
"Text": "Known issue that is a risk. Updated by automation rules",
"UpdatedBy": "sechub-automation"
}
}
}]' \
--region ca-central-1

# Rule is shown as active
aws securityhub list-automation-rules
{
"AutomationRulesMetadata": [
    {
        "RuleArn": "arn:aws:securityhub:ca-central-1:274536870005:automation-rule/37063e7d-b47d-4ede-8d4a-71acb27fd0b8",
        "RuleStatus": "ENABLED",
        "RuleOrder": 1,
        "RuleName": "EBS encryption supress",
        "Description": "EBS encryption is not required by default",
        "CreatedAt": "2023-02-22T20:11:10.686000+00:00",
        "UpdatedAt": "2023-02-22T20:11:10.686000+00:00",
        "CreatedBy": "arn:aws:sts::274536870005:assumed-role/AWSReservedSSO_AWSAdministratorAccess_47d101c58010d0c1/patrick.heard@cds-snc.ca"
    }
]
}
patheard commented 1 year ago

Suppression rule is working as expected: image