Also read – Securing S3 buckets

How do I send out a custom email for all the config violations (all the security hub events) that arise in my account?

Use this cloudformation stack to build this solution out

What is the target of the Cloudwatch event rule that is created?

The target is an SNS topic – with one or more email subscriptions.

What if I have more than one account with Security Hub enabled?

You need a central ‘security’ account – which will send out invitations (to send out an invitation, go into Security Hub–>Settings–>Accounts) to other security hubs in other accounts. On accepting the invitation, those accounts will be linked.

I ran the stack and I am getting too many emails. How do I filter for only CRITICAL (or HIGH severity) violations?

As part of the stack above, a cloudwatch event rule would have been created. Go into Cloudwatch and edit that event rule.

{
"source": ["aws.securityhub"],
"detail": {
"findings": {
"Compliance": {
"Status": ["FAILED"]
},
"Workflow": {
"Status": ["NEW"]
},
"FindingProviderFields": {
"Severity": {
"Label": ["MEDIUM", "HIGH","CRITICAL"]
}
}
}

}

}

Summary

Cloudwatch event rules provide a way to customize (filter) the security hub event that is sent to the sns topic (target).  It t

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin