GuardDuty and Security Hub are great tools to maintain your AWS infrastructure securely.
Enable Security Hub
Enabling Security Hub is very easy. Just go to the security Hub console and enable.
For more details follow this documentation
Enable GuardDuty
Go to the GuardDuty console and enable GuardDuty.
For more details follow this documentation
Configure slack notification from Security Hub & GuardDuty Findings
Architectural Diagram of the Solution:
I will show you a Terraform Module which helps you to create a Slack notification stack
for your SecurityHub
and DuardDuty
Findings as per the above diagram.
Now define the module like this:
provider "aws" {
region = "eu-west-1"
access_key = "AWS-ACCESS-KEY"
secret_key = "AWS-SECRET-ACCESS-KEY"
}
module "security-hub-to-slack" {
source = "git@github.com:noyonict/Security-hub-to-slack.git"
IncomingWebHookURL = "https://hooks.slack.com/services/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"
SlackChannel = "security_alerts"
}
IncomingWebHookURL*: Incoming Webhook URL for slack app. To create follow this Doc. For example: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
SlackChannel: Slack Chennel Name. Default: security_alerts
Note: Required Terraform version >= 0.12 and also you can provide the AWS access details or it will using the default configuration.
Then open Terminal in the Module location:
terraform init
terraform plan
Plan: 12 to add, 0 to change, 0 to destroy.
terraform apply --auto-approve
You will see this message:
Apply complete! Resources: 12 added, 0 changed, 0 destroyed.
It will create a IAM role
, a CloudWatch Log groups
, two EventBridge Rules one for GuardDuty
and another one for SecurityHub
and also a lambda function which will send the notification to the Slack chennel using the webhook URL.
IAM role:
CloudWatch Log groups:
EventBridge Rules:
Lambda function:
This lambda function will send every SecurityHub and GuardDuty findings to Slack Chennel by using the Incoming web hook URL.
Then you will see the SecurityHub and GuardDuty findings/alerts on Slack
Summary
In this post, I showed “A terraform module which help you to configure a Slack notification stack from SecurityHub and GuardDuty Findings”.
By configuring this Slack notification stack you will see your Organizations/Accounts security state in Slack. You can take action based on that.
Also, SecurithHud Remediation helps you to fix the issues you have. You just need to follow those steps to fix the issues.
To learn more about SecurityHub follow this doc
To learn more about GuardDuty follow this doc
Thanks for reading! Happy Cloud Computing!
Connect with me: Linkedin
Top comments (0)