AWS Security Hub Integration

Summary

AWS Security Hub is an AWS service that helps teams analyze and prioritize security issues from different products and tools more quickly. You can now send Fugue findings to your AWS Security Hub instance. Some use cases include:

  • Route security events from AWS Security Hub to SIEMs or log management tools.

  • Streamline audits by layering in evidence from Fugue with other insights from AWS security tools.

Architecture

Fugue is a SaaS application that sends findings from a Fugue AWS account to a customer’s AWS Security Hub regional endpoint. Fugue utilizes an Amazon CloudWatch scheduled event (on a 5 minute interval) to trigger an AWS Lambda function to ingest new Fugue findings from an internal API, and then enqueues Fugue findings to Amazon SQS. Amazon SQS then triggers another AWS Lambda function which translates Fugue findings into the AWS Security Finding Format (ASFF), sends appropriately formatted findings to customer AWS Security Hub regional endpoints, and updates a RDS database with the successful findings.

_images/integrations-aws-security-hub-architecture.png

Integration Steps

  1. If your AWS account is managed by AWS Organizations, your administrator may have already configured a Security Hub administrator account and member accounts - which means that Security Hub may already be enabled. You can verify this by navigating to the Security Hub console, and seeing if you can set up Security Hub for a given region.

  2. If you need to set up AWS Security Hub manually, please follow these instructions from AWS. Please make a note of the region(s) that Security Hub is configured in.

  3. In the AWS console, navigate to the Security Hub service in the correct region, and select Integrations.

  4. Search for Fugue, and select Accept findings.

_images/integrations-aws-security-hub.png

5. Reach out to Fugue support, and inform the team that you would like Fugue to send findings to your AWS Security Hub instance. Please be prepared to provide Fugue with the following:

  • Your Tenant ID

  • The region(s) in which you configured AWS Security Hub

Integration Considerations

  • Fugue batches sending findings to AWS Security Hub in 5 minute intervals, so you should expect some delay between Fugue identifying a potential misconfiguration, and you seeing a finding in Security Hub.

  • Fugue supports AWS Security Hub in all regions except the following:

    • ap-northeast-3

    • ap-east-1

    • af-south-1

    • cn-north-1

    • cn-northwest-1

Findings Fields

Fugue maps Fugue findings to the following AWS Security Finding Format (ASSF) fields:

  • AwsAccountId: The AWS Account ID for the resource associated with the finding

  • Compliance/RelatedRequirements: Fugue includes compliance controls associated with the finding, such as CIS-AWS_v1.2_3.1 to this field

  • Compliance/Status: This value is FAILED for all new findings

  • CreatedAt: The timestamp for when the Fugue finding was created

  • Description: A description of the rule that the resource failed, with information on its security relevance

  • GeneratorId: This maps to Fugue’s rule IDs, such as FG_R00023

  • Id: The Fugue finding ID

  • ProductArn: Fugue’s AWS Security Hub product arn: arn:aws:securityhub:<region>::product/fugue/fugue

  • ProductFields/ProviderName: Fugue is the value used

  • RecordState: The Fugue finding status - either open or closed

  • Remediation: Provides a link to Fugue documentation for a given rule with remediation steps

  • Resources/Id: Includes the resource ARN (or resource ID if ARN is not available) for the resource associated with the finding

  • Resources/Type: Provides the AWS format for the resource type, such as AWS::S3::Bucket

  • SchemaVersion: Hardcoded to 2018-10-08

  • Severity/Label: Maps directly to Fugue findings severity - either CRITICAL, HIGH, MEDIUM, LOW, or INFORMATIONAL

  • Title: A short summary of the rule associated with the finding

  • Types: Hardcoded as Software and Configuration Checks

  • UpdatedAt: The timestamp for when the Fugue finding was most recently updated