AWS Security Hub

New in version 4.9.0.

AWS Security Hub is a cloud security posture management (CSPM) service that automates security best practice checks, aggregates security alerts into a unified format, and helps the user understand the overall security posture across all of the AWS accounts.

Security Hub helps users assess their compliance against security best practices as follows:

  • Runs checks against security controls.

  • Generates control findings.

  • Groups related findings into collections called insights.

Wazuh integrates with Amazon SQS and EventBridge to centralize Security Hub findings and insights in a single place.

EventBridge allows storing Security Hub findings and insights in S3 buckets.

There are three types of events available, each type uses a specific EventBridge event format. The Wazuh integration takes every relevant detail and detail-type values from them.

  • Security Hub Findings - Imported: Security Hub automatically sends events of this type to EventBridge. It includes all new findings as well as updates to existing findings. Each event contains a single finding.

  • Security Hub Findings - Custom Action: Security Hub sends events of this type to EventBridge when custom actions are triggered. The events are associated with the findings of the custom actions.

  • Security Hub Insight Results: This type of event is used to process the Security Hub Insights. You can use custom actions to send sets of insight results to EventBridge. Insight results are the resources that match an insight.

Find more information about each type of event in Types of Security Hub integration with EventBridge.

Amazon Simple Queue Service is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications.

In this case, it is used to acknowledge new events to pull from the S3 bucket.

To set up the integration, you need to:

  1. Configure AWS. This involves the following.

    1. Enabling Amazon Security Hub.

    2. Integrating Security Hub with EventBridge.

    3. Enabling an Amazon SQS queue.

    4. Enabling an Amazon S3 bucket including Event notifications. The bucket sends notifications to the queue for every Security Hub object creation event.

  2. Set up the Wazuh integration for Amazon Security Hub.

AWS configuration

Enabling Security Hub

AWS Security Hub uses service-linked AWS Config rules to perform security checks for most controls. We advise to configure AWS Config as a prerequisite.

Enable AWS Security Hub

You have two alternative ways to enable AWS Security Hub:

  • AWS Organizations integration: Recommended for multi-account and multi-region environments.

  • Manual: Recommended for standalone accounts and when the integration with AWS Organizations is unnecessary.

If you choose the Organizations integration, you must attach the following AWS managed policies to the IAM identity.

  • AWSSecurityHubFullAccess to access the Security Hub console and API operations.

    {
       "Version": "2012-10-17",
       "Statement": [
          {
             "Sid": "SecurityHubAllowAll",
             "Effect": "Allow",
             "Action": "securityhub:*",
             "Resource": "*"
          },
          {
             "Sid": "SecurityHubServiceLinkedRole",
             "Effect": "Allow",
             "Action": "iam:CreateServiceLinkedRole",
             "Resource": "*",
             "Condition": {
                "StringLike": {
                   "iam:AWSServiceName": "securityhub.amazonaws.com"
                }
             }
          },
          {
             "Sid": "OtherServicePermission",
             "Effect": "Allow",
             "Action": [
                "guardduty:GetDetector",
                "guardduty:ListDetectors",
                "inspector2:BatchGetAccountStatus",
                "pricing:GetProducts"
             ],
             "Resource": "*"
          }
       ]
    }
    
  • AWSSecurityHubOrganizationsAccess to enable and manage the Security Hub through the Organizations integration.

    {
       "Version": "2012-10-17",
       "Statement": [
          {
             "Sid": "OrganizationPermissions",
             "Effect": "Allow",
             "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeOrganization",
                "organizations:ListRoots",
                "organizations:ListDelegatedAdministrators",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListAccountsForParent",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganizationalUnit"
             ],
             "Resource": "*"
          },
          {
             "Sid": "OrganizationPermissionsEnable",
             "Effect": "Allow",
             "Action": "organizations:EnableAWSServiceAccess",
             "Resource": "*",
             "Condition": {
                "StringEquals": {
                   "organizations:ServicePrincipal": "securityhub.amazonaws.com"
                }
             }
          },
          {
             "Sid": "OrganizationPermissionsDelegatedAdmin",
             "Effect": "Allow",
             "Action": [
                "organizations:RegisterDelegatedAdministrator",
                "organizations:DeregisterDelegatedAdministrator"
             ],
             "Resource": "arn:aws:organizations::*:account/o-*/*",
             "Condition": {
                "StringEquals": {
                   "organizations:ServicePrincipal": "securityhub.amazonaws.com"
                }
             }
          }
       ]
    }
    

We recommend using central configuration to set up and manage Security Hub for the organization. Central configuration lets the administrator customize security coverage for the organization.

Integrating Security Hub with EventBridge

To integrate Security Hub with EventBridge, you need to create the following resources:

  • A Firehose stream in Amazon Data Firehose

  • An event rule in EventBridge

To send Security Hub Findings - Custom Action and Security Hub Insight Results events to EventBridge, create a custom action in Security Hub.

EventBridge needs a target such as the Firehose stream. It triggers the target when it receives an event matching an event pattern. The event pattern is defined in the rule. The AWS documentation provides steps on how to configure the rule.

Check the Amazon WAF integration for a Firehose configuration example.

Amazon Simple Queue Service

  1. Set up a Standard type SQS Queue with the default configurations. You can apply an Access Policy similar to the following example, where <region>, <account-id>, and <s3-bucket> are the region, account ID, and the name you are going to provide to the S3 bucket.

    {
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
      {
        "Sid": "example-access-policy",
        "Effect": "Allow",
        "Principal": {
          "Service": "s3.amazonaws.com"
        },
        "Action": "SQS:SendMessage",
        "Resource": "arn:aws:sqs:<region>:<account-id>:<s3-bucket>",
        "Condition": {
          "StringEquals": {
            "aws:SourceAccount": "<account-id>"
          },
          "ArnLike": {
            "aws:SourceArn": "arn:aws:s3:*:*:<s3-bucket>"
          }
        }
      }
    ]
    }
    
    Create queue
    Create queue
    Create queue

You can make your access policy to accept S3 notifications from different account IDs and to apply different conditions. More information in Managing access in Amazon SQS.

Amazon S3 and Event Notifications

To configure an S3 bucket that reports creation events, do the following.

  1. Configure an S3 bucket as defined in the Configuring an S3 Bucket section. Provide the name you decided in the previous section.

  2. Once created, go to Event notifications inside the Properties tab. Select Create event notification.

  3. In Event Types, select All object create events. This generates notifications for any type of event that results in the creation of an object in the bucket.

  4. In the Destination section, select SQS queue.

  5. Select Choose from your SQS queues. Then, choose the queue you created previously.

Wazuh Configuration

Warning

Every message sent to the queue is read and deleted. Make sure you only use the queue for bucket notifications.

  1. Edit the /var/ossec/etc/ossec.conf file. Add the SQS name and your Configuration parameters for the buckets service. Set them within the <subscriber type="security_hub"> block. For example:

    <wodle name="aws-s3">
        <disabled>no</disabled>
        <interval>1h</interval>
        <run_on_start>yes</run_on_start>
        <subscriber type="security_hub">
            <sqs_name>sqs-queue</sqs_name>
            <aws_profile>default</aws_profile>
        </subscriber>
    </wodle>
    

    Check the AWS S3 module reference to learn more about the available settings.

    Note

    The amount of notifications present in the queue affects the execution time of the AWS S3 module. If the <interval> value for the waiting time between executions is too short, Wazuh logs the Interval overtaken warning into the ossec.log file.

  2. Restart the Wazuh manager to apply the changes.

    # systemctl restart wazuh-manager
    

Configuration parameters

Configure the following fields to set the queue and authentication configuration. For more information, check the Subscribers reference.

Queue

  • <sqs_name>: The name of the queue.

  • <service_endpoint>Optional: The AWS S3 endpoint URL for data downloading from the bucket. Check Using non-default AWS endpoints for more information about VPC and FIPS endpoints.

Authentication

The available authentication methods are the following:

These authentication methods require using the /root/.aws/credentials file to provide credentials. You can find more information in Configuring AWS credentials.

The available authentication configuration parameters are the following: