Apps
AWS Security Hub

Interpres Application - AWS Security Hub Integration

  • Type: Cloud
  • Vendor: AWS

The AWS GuardDuty integration will pull in alerts and detections based off of AWS logs that GuardDuty itself is continuously monitoring. To enable this integration you must have GuardDuty enabled in the account you are setting up and valid logs to be scanned in the account.

Vendor setup

JSON


Note: This policy currently allows for any hub to be accessed, if you want to limit access please replaced the Resource field and replace the following: Resource": "arn:aws:securityhub:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}}:hub/default

  • 2.0 Create an AWS role and attach the policy created in the step 1
  • 3.0 Choose one of the authentication methods currently supported by the integration
    1. Using an AWS user with secret key and id directly to access resources
      1. Create an AWS User with programmatic access only
      2. Create AWS Access Key ID and AWS Secret Access Key and store in a safe place
      3. Attach the role created from step 2 to new user:
    2. Using an attached role to access resources
      • Note: This method can only be used if you are self hosting your Interpres deployments in AWS
    3. Using an attached role to assume another role to access resources
      • Note: This method can only be used if your Interpres deployment is hosted in AWS
      • Note: External ID is required for this method. Interpres will provide you with it
      • For more information about cross account IAM roles: link
JSON


App Configuration

App Parameters:

* Note *The AWS Integrations can be configured in multiple ways of authentcation and the required inputs are as follows

  1. Using an AWS user with secret key and id directly to access resources
    • Access Key
    • Secret Key
  2. Using an attached role to access resources
    • Use attached role when running in EC2 - True
  3. Using an attached role to assume another role to access resources
    • Use attached role when running in EC2 - True
    • Use attached role to assume another specified role
  • Access Key: If using Authentication method 1 (step 3.1) provide AWS_ACCESS_KEY for user
  • Secret Key: If using Authentication method 1 (step 3.1) provide AWS_SECRET_KEY for user
  • Use Role: Check this box if using Authentication method 2 (step 3.2) or 3 (step 3.3)
  • Assume Role: AWS cross account role arn to assume (Created in step 2)
  • Region: AWS Region to monitor for the resources

App Validation

Check there is connectivity (green light) in the integration created.

Implemented Actions

  • Get Detections: Will pull in all available security control definitions defined here in AWS: Security Hub controls reference
  • Get Alerts: Will pull in the latest alerts. Alerts defined in this context map directly to Security Hub Findings: Findings