AWS Security Hub
New in version 4.9.0.
AWS Security Hub is a cloud security posture management (CSPM) service that automates security best practice checks, aggregates security alerts into a unified format, and helps the user understand the overall security posture across all of the AWS accounts.
Security Hub helps users assess their compliance against security best practices as follows:
Runs checks against security controls.
Generates control findings.
Groups related findings into collections called insights.
Wazuh integrates with Amazon SQS and EventBridge to centralize Security Hub findings and insights in a single place.
EventBridge allows storing Security Hub findings and insights in S3 buckets.
There are three types of events available, each type uses a specific EventBridge event format. The Wazuh integration takes every relevant detail
and detail-type
values from them.
Security Hub Findings - Imported: Security Hub automatically sends events of this type to EventBridge. It includes all new findings as well as updates to existing findings. Each event contains a single finding.
Security Hub Findings - Custom Action: Security Hub sends events of this type to EventBridge when custom actions are triggered. The events are associated with the findings of the custom actions.
Security Hub Insight Results: This type of event is used to process the Security Hub Insights. You can use custom actions to send sets of insight results to EventBridge. Insight results are the resources that match an insight.
Find more information about each type of event in Types of Security Hub integration with EventBridge.
Amazon Simple Queue Service is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications.
In this case, it is used to acknowledge new events to pull from the S3 bucket.
To set up the integration, you need to:
Configure AWS. This involves the following.
Enabling Amazon Security Hub.
Integrating Security Hub with EventBridge.
Enabling an Amazon SQS queue.
Enabling an Amazon S3 bucket including Event notifications. The bucket sends notifications to the queue for every Security Hub object creation event.
Set up the Wazuh integration for Amazon Security Hub.
AWS configuration
Enabling Security Hub
AWS Security Hub uses service-linked AWS Config rules to perform security checks for most controls. We advise to configure AWS Config as a prerequisite.
You have two alternative ways to enable AWS Security Hub:
AWS Organizations integration: Recommended for multi-account and multi-region environments.
Manual: Recommended for standalone accounts and when the integration with AWS Organizations is unnecessary.
If you choose the Organizations integration, you must attach the following AWS managed policies to the IAM identity.
AWSSecurityHubFullAccess to access the Security Hub console and API operations.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SecurityHubAllowAll", "Effect": "Allow", "Action": "securityhub:*", "Resource": "*" }, { "Sid": "SecurityHubServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "securityhub.amazonaws.com" } } }, { "Sid": "OtherServicePermission", "Effect": "Allow", "Action": [ "guardduty:GetDetector", "guardduty:ListDetectors", "inspector2:BatchGetAccountStatus", "pricing:GetProducts" ], "Resource": "*" } ] }
AWSSecurityHubOrganizationsAccess to enable and manage the Security Hub through the Organizations integration.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "OrganizationPermissions", "Effect": "Allow", "Action": [ "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:ListRoots", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAccountsForParent", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit" ], "Resource": "*" }, { "Sid": "OrganizationPermissionsEnable", "Effect": "Allow", "Action": "organizations:EnableAWSServiceAccess", "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securityhub.amazonaws.com" } } }, { "Sid": "OrganizationPermissionsDelegatedAdmin", "Effect": "Allow", "Action": [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "arn:aws:organizations::*:account/o-*/*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securityhub.amazonaws.com" } } } ] }
We recommend using central configuration to set up and manage Security Hub for the organization. Central configuration lets the administrator customize security coverage for the organization.
Integrating Security Hub with EventBridge
To integrate Security Hub with EventBridge, you need to create the following resources:
A Firehose stream in Amazon Data Firehose
An event rule in EventBridge
To send Security Hub Findings - Custom Action and Security Hub Insight Results events to EventBridge, create a custom action in Security Hub.
EventBridge needs a target such as the Firehose stream. It triggers the target when it receives an event matching an event pattern. The event pattern is defined in the rule. The AWS documentation provides steps on how to configure the rule.
Check the Amazon WAF integration for a Firehose configuration example.
Amazon Simple Queue Service
Set up a Standard type SQS Queue with the default configurations. You can apply an Access Policy similar to the following example, where
<region>
,<account-id>
, and<s3-bucket>
are the region, account ID, and the name you are going to provide to the S3 bucket.{ "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "example-access-policy", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "SQS:SendMessage", "Resource": "arn:aws:sqs:<region>:<account-id>:<s3-bucket>", "Condition": { "StringEquals": { "aws:SourceAccount": "<account-id>" }, "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:<s3-bucket>" } } } ] }
You can make your access policy to accept S3 notifications from different account IDs and to apply different conditions. More information in Managing access in Amazon SQS.
Amazon S3 and Event Notifications
To configure an S3 bucket that reports creation events, do the following.
Configure an S3 bucket as defined in the Configuring an S3 Bucket section. Provide the name you decided in the previous section.
Once created, go to Event notifications inside the Properties tab. Select Create event notification.
In Event Types, select All object create events. This generates notifications for any type of event that results in the creation of an object in the bucket.
In the Destination section, select SQS queue.
Select Choose from your SQS queues. Then, choose the queue you created previously.
Wazuh Configuration
Warning
Every message sent to the queue is read and deleted. Make sure you only use the queue for bucket notifications.
Edit the
/var/ossec/etc/ossec.conf
file. Add the SQS name and your Configuration parameters for the buckets service. Set them within the<subscriber type="security_hub">
block. For example:<wodle name="aws-s3"> <disabled>no</disabled> <interval>1h</interval> <run_on_start>yes</run_on_start> <subscriber type="security_hub"> <sqs_name>sqs-queue</sqs_name> <aws_profile>default</aws_profile> </subscriber> </wodle>
Check the AWS S3 module reference to learn more about the available settings.
Note
The amount of notifications present in the queue affects the execution time of the AWS S3 module. If the
<interval>
value for the waiting time between executions is too short, Wazuh logs the Interval overtaken warning into theossec.log
file.Restart the Wazuh manager to apply the changes.
# systemctl restart wazuh-manager
# service wazuh-manager restart
Configuration parameters
Configure the following fields to set the queue and authentication configuration. For more information, check the Subscribers reference.
Queue
<sqs_name>
: The name of the queue.<service_endpoint>
– Optional: The AWS S3 endpoint URL for data downloading from the bucket. Check Using non-default AWS endpoints for more information about VPC and FIPS endpoints.
Authentication
The available authentication methods are the following:
These authentication methods require using the /root/.aws/credentials
file to provide credentials. You can find more information in Configuring AWS credentials.
The available authentication configuration parameters are the following:
<aws_profile>
: A valid profile name from a Shared Credential File or AWS Config File with permission to read logs from the bucket.<iam_role_arn>
: ARN for the corresponding IAM role to assume.<iam_role_duration>
– Optional: The session duration in seconds.<sts_endpoint>
– Optional: The URL of the VPC endpoint of the AWS Security Token Service.