DEV Community

Cover image for Enable AWS Security Hub, GuardDuty and Slack Notification Stack
Md Mohaymenul Islam (Noyon)
Md Mohaymenul Islam (Noyon)

Posted on

Enable AWS Security Hub, GuardDuty and Slack Notification Stack

GuardDuty and Security Hub are great tools to maintain your AWS infrastructure securely.

Enable Security Hub

Enabling Security Hub is very easy. Just go to the security Hub console and enable.
For more details follow this documentation

Enable GuardDuty

Go to the GuardDuty console and enable GuardDuty.
For more details follow this documentation

Configure slack notification from Security Hub & GuardDuty Findings

Architectural Diagram of the Solution:
Image description

I will show you a Terraform Module which helps you to create a Slack notification stack for your SecurityHub and DuardDuty Findings as per the above diagram.

Now define the module like this:

provider "aws" {
  region     = "eu-west-1"
  access_key = "AWS-ACCESS-KEY"
  secret_key = "AWS-SECRET-ACCESS-KEY"
}


module "security-hub-to-slack" {
  source             = "git@github.com:noyonict/Security-hub-to-slack.git"
  IncomingWebHookURL = "https://hooks.slack.com/services/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"
  SlackChannel       = "security_alerts"
}
Enter fullscreen mode Exit fullscreen mode

IncomingWebHookURL*: Incoming Webhook URL for slack app. To create follow this Doc. For example: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

SlackChannel: Slack Chennel Name. Default: security_alerts

Note: Required Terraform version >= 0.12 and also you can provide the AWS access details or it will using the default configuration.

Then open Terminal in the Module location:

terraform init

terraform plan
Plan: 12 to add, 0 to change, 0 to destroy.

terraform apply --auto-approve

You will see this message:

Apply complete! Resources: 12 added, 0 changed, 0 destroyed.

It will create a IAM role, a CloudWatch Log groups, two EventBridge Rules one for GuardDuty and another one for SecurityHub and also a lambda function which will send the notification to the Slack chennel using the webhook URL.

IAM role:

Image description

CloudWatch Log groups:

Image description

EventBridge Rules:

Image description

Lambda function:

Image description

This lambda function will send every SecurityHub and GuardDuty findings to Slack Chennel by using the Incoming web hook URL.

Then you will see the SecurityHub and GuardDuty findings/alerts on Slack

Image description

Summary

In this post, I showed “A terraform module which help you to configure a Slack notification stack from SecurityHub and GuardDuty Findings”.

By configuring this Slack notification stack you will see your Organizations/Accounts security state in Slack. You can take action based on that.
Also, SecurithHud Remediation helps you to fix the issues you have. You just need to follow those steps to fix the issues.

To learn more about SecurityHub follow this doc

To learn more about GuardDuty follow this doc

Thanks for reading! Happy Cloud Computing!

Connect with me: Linkedin

Discussion (0)