Your Web News in One Place

An Interest In:

Web News this Week

Search Archive

Some of Our Sources

View All Sources

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
March 17, 2021 01:30 pm GMT

AWS Chatbot to the rescue: never miss an AWS Security alert

To secure our AWS Cloud setup we use quite some tools: AWS Security Hub, AWS Inspector, AWS Guardduty and ECR Vulnerability Scanning just to name a few.

All these tools are both easy to set up and do a very nice job finding weaknesses and treats. The only issue I had, is that often their findings stayed under the radar way too long. I'm not the person to check all these dashboards on a daily basis for new findings, I simply forget to do so.

Chatops

On the other side, we heavily use Slack for chat and notifications from build pipelines, service changes, system errors, etc. All these notifications are collected in a dedicated room for which a company policy dictates those should be all read.

So ideally, we just had to add our security notifications to the same chatroom to get notified and to never miss a security issue again.

AWS Eventbridge, AWS SNS and AWS Chatbot

It turns out that showing all your security findings and alerts in your chat client is quite easy. This is how our setup looks like:

Security alerts

Using AWS Eventbridge, we collect all notifications on a single SNS topic named 'security-issues'. On top of that AWS Chatbot is configured to listen to that SNS topic and to forward all messages to Slack.

Creating the SNS Topic and setting up AWS Chatbot to listen to the SNS Topic and forward the messages to your chat client is very easy and done in a few clicks. The hardest part is capturing the EventBridge events and forwarding them to SNS, so here the CloudFormation to help you out on that part:

AWSTemplateFormatVersion: '2010-09-09'Description: Forward EventBridge security events to AWS SNSParameters:  SecurityIssuesSnsTopic:    Type: String    Description: Contains the ARN of the SNS topic on which security issues are published.Resources:  GuardDutyEventRule:    Type: AWS::Events::Rule    Properties:      Name: detect-guardduty-findings      Description: A CloudWatch Event Rule that triggers on Amazon GuardDuty findings.      State: ENABLED      EventPattern:        source:          - aws.guardduty        detail-type:          - GuardDuty Finding      Targets:        - Arn:            Ref: SecurityIssuesSnsTopic          Id: SecurityTopic  SecurityHubFindingEventRule:    Type: AWS::Events::Rule    Properties:      Name: detect-securityhub-findings      Description: A CloudWatch Event Rule that triggers on Amazon Security Hub findings.      State: ENABLED      EventPattern:        source:          -  aws.securityhub        detail-type:          - Security Hub Findings - Custom Action        resources:          - !Sub arn:aws:securityhub:${AWS::Region}:${AWS::AccountId}:action/custom/reportfindings      Targets:        - Arn:            Ref: SecurityIssuesSnsTopic          Id: SecurityTopic  SecurityHubInsightsEventRule:    Type: AWS::Events::Rule    Properties:      Name: detect-securityhub-insights      Description: A CloudWatch Event Rule that triggers on Amazon Security Hub insights.      State: ENABLED      EventPattern:        source:          -  aws.securityhub        detail-type:          - Security Hub Insight Results        resources:          - !Sub arn:aws:securityhub:${AWS::Region}:${AWS::AccountId}:action/custom/reportfindings      Targets:        - Arn:            Ref: SecurityIssuesSnsTopic          Id: SecurityTopic  EcrVulnerabilitiesEventRule:    Type: AWS::Events::Rule    Properties:      Name: detect-ecr-vulnerabilities      Description: A CloudWatch Event Rule that triggers on Amazon ECR vulnerabilities.      State: ENABLED      EventPattern:        source:          -  aws.ecr        detail-type:          - ECR Image Scan        detail:          finding-severity-counts:            CRITICAL:              - exists: false              - numeric: [ ">", 0 ]            HIGH:              - exists: false              - numeric: [ ">", 0 ]            MEDIUM:              - exists: false              - numeric: [ ">", 0 ]            # UNDEFINED:            #   - exists: false            #   - numeric: [ ">", 0 ]      Targets:        - Arn:            Ref: SecurityIssuesSnsTopic          Id: SecurityTopic

This should get you started in a matter of minutes

Here's how the result looks like in Slack. Pretty neat, isn't it!?

Slack example

Currently, all of the above message types are supported by AWS Chatbot except for the ECR Vulnerabilities. Hopefully this changes in the near future (for now I also have an email subscription on the SNS Topic to cover those).

Enjoy and until next time!


Original Link: https://dev.to/aws-builders/aws-chatbot-to-the-rescue-never-miss-an-aws-security-alert-b65

Share this article:    Share on Facebook
View Full Article

Dev To

An online community for sharing and discovering great ideas, having debates, and making friends

More About this Source Visit Dev To