Security Hub Notification emails – Severity Level Filtered
Also read – Securing S3 buckets
How do I send out a custom email for all the config violations (all the security hub events) that arise in my account?
Use this cloudformation stack to build this solution out
What is the target of the Cloudwatch event rule that is created?
The target is an SNS topic – with one or more email subscriptions.
What if I have more than one account with Security Hub enabled?
You need a central ‘security’ account – which will send out invitations (to send out an invitation, go into Security Hub–>Settings–>Accounts) to other security hubs in other accounts. On accepting the invitation, those accounts will be linked.
I ran the stack and I am getting too many emails. How do I filter for only CRITICAL (or HIGH severity) violations?
As part of the stack above, a cloudwatch event rule would have been created. Go into Cloudwatch and edit that event rule.
{
"source": ["aws.securityhub"],
"detail": {
"findings": {
"Compliance": {
"Status": ["FAILED"]
},
"Workflow": {
"Status": ["NEW"]
},
"FindingProviderFields": {
"Severity": {
"Label": ["MEDIUM", "HIGH","CRITICAL"]
}
}
}
}
}
Summary
Cloudwatch event rules provide a way to customize (filter) the security hub event that is sent to the sns topic (target). It t
Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.
Anuj Varma – who has written 1217 posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.
Leave a Reply