Skip to main content

Security Hub Findings

Ingests findings from AWS Security Hub for continuous monitoring and analysis.

Details

The AWS Security Hub input collects findings from the AWS Security Hub service. These findings provide insights into the security posture of your AWS environment, helping you identify and remediate potential security issues.

The input processes messages from an Amazon SQS queue that is configured to receive findings from AWS Security Hub via EventBridge. It ensures reliable and efficient ingestion of findings for further analysis.

Prerequisites

  • AWS Security Hub must be enabled in your AWS account.
  • You must configure an EventBridge rule to send Security Hub findings to an SQS queue.
  • Create an IAM role that Monad can assume, granting it the necessary permissions to access the SQS queue.

Setup Instructions

Note: Skip to Step 4 if you prefer CloudFormation method

Step 1: Create an SQS Queue

  1. Sign in to the AWS Management Console.
  2. Navigate to the Amazon SQS service.
  3. Click Create queue.
  4. Select Standard queue type.
  5. Enter a name for your queue (e.g., security-hub-findings-queue).
  6. Keep the default settings or adjust as needed. (Retention Period of 14 days is recommended.)
  7. Click Create queue.
  8. Note the queue URL for later use in the configuration.

Step 2: Set Up EventBridge Rule

  1. Navigate to the Amazon EventBridge service.
  2. Click on Rules in the left navigation panel.
  3. Click Create rule.
  4. Under Define rule detail:
    • Enter a name (e.g., security-hub-findings-rule).
    • Optionally add a description.
    • For Rule type, select Rule with an event pattern.
    • Click Next.
  5. Under Build event pattern:
    • For Event source, select AWS services.
    • For AWS service, select Security Hub.
    • For Event type, select Security Hub Findings - Imported.
    • Optionally, add filters for specific findings:
      • To filter by severity, select specific values under Specific Severity Label(s).
      • To filter by other criteria, expand the Additional settings section.
    • Click Next.
  6. Under Select targets:
    • From the Target types dropdown, select AWS service.
    • From the Select a target dropdown, choose SQS queue.
    • For Queue, select the queue you created in Step 1.
    • Click Next.
  7. Skip tags configuration by clicking Next.
  8. Review your configuration and click Create rule.

Step 3: Create IAM Role for Access

  • Follow the IAM Role Setup Guide in the main AWS documentation. Use the permissions shown below to attach to the role. You can also create a user and use static credentials instead. 
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "sqs:ReceiveMessage",
            "sqs:DeleteMessage",
            "sqs:GetQueueAttributes"
          ],
          "Resource": "[SQS-QUEUE-ARN]"
        }
      ]
    }
  • Replace [SQS-QUEUE-ARN] with the ARN of your SQS queue.
  • Give the role a name (e.g., SecurityHubFindingsRole).
  • Click Create role.
  • Note the ARN of the created role for later use in the configuration.

Step 4: CloudFormation Template (Optional)

If you prefer to deploy the entire solution using CloudFormation, you can use the following template:

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Security Hub to EventBridge to SQS Integration'

Parameters:
  QueueName:
    Type: String
    Default: security-hub-findings-queue
    Description: Name of the SQS queue
  RuleName:
    Type: String
    Default: security-hub-findings-rule
    Description: Name of the EventBridge rule
  MonadRoleName:
    Type: String
    Description: Role name that Monad will use to access the SQS queue

Resources:
  SecurityHubFindingsQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Ref QueueName
      MessageRetentionPeriod: 1209600  # 4 days

  SecurityHubFindingsQueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref SecurityHubFindingsQueue
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: sqs:SendMessage
            Resource: !GetAtt SecurityHubFindingsQueue.Arn
            Condition:
              ArnEquals:
                aws:SourceArn: !GetAtt SecurityHubFindingsRule.Arn

  SecurityHubFindingsRule:
    Type: AWS::Events::Rule
    Properties:
      Name: !Ref RuleName
      Description: Rule to forward Security Hub findings to SQS
      EventPattern:
        source:
          - aws.securityhub
        detail-type:
          - Security Hub Findings - Imported
      State: ENABLED
      Targets:
        - Id: SendToSQS
          Arn: !GetAtt SecurityHubFindingsQueue.Arn

  SecurityHubFindingsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::339712996529:role/monad-app
            Action: 
              - sts:AssumeRole
              - "sts:TagSession"
      Policies:
        - PolicyName: SQSAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - sqs:ReceiveMessage
                  - sqs:DeleteMessage
                  - sqs:GetQueueAttributes
                Resource: !GetAtt SecurityHubFindingsQueue.Arn

Outputs:
  QueueURL:
    Description: URL of the SQS queue
    Value: !Ref SecurityHubFindingsQueue
  RoleARN:
    Description: ARN of the IAM role
    Value: !GetAtt SecurityHubFindingsRole.Arn

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

SettingTypeRequiredDescription
Queue URLstringYesThe URL of the SQS queue to be used for AWS Security Hub integration.
Role ARNstringYesThe ARN of the IAM role to assume for accessing the SQS queue.
RegionstringYesThe AWS region where the SQS queue and Security Hub are located.
CronstringYesCron expression for scheduling the input.

Secrets (Static Credentials Only)

SettingTypeRequiredDescription
Access KeystringConditionalAWS Access Key ID
Secret KeystringConditionalAWS Secret Access Key

⚠️ Authentication: Choose either Role ARN (recommended) or static credentials. See AWS Authentication Guide for setup instructions.

Troubleshooting

  • If no findings are being received, check that Security Hub is properly configured and generating findings.
  • Verify that the EventBridge rule is correctly configured to capture Security Hub findings.
  • Ensure the SQS queue policy allows EventBridge to send messages to the queue.
  • Check IAM permissions to ensure Monad can assume the role and the role has appropriate permissions for the SQS queue.

Sample Record

{
  "AwsAccountId": "112233445566",
  "CompanyName": "AWS",
  "Compliance": {
    "AssociatedStandards": [
      {
        "StandardsId": "standards/pci-dss/v/3.2.1"
      }
    ],
    "SecurityControlId": "EC2.17",
    "Status": "WARNING",
    "StatusReasons": [
      {
        "Description": "This finding has failed because the resource does not meet the requirements specified in the control.",
        "ReasonCode": "CONFIG_RETURNS_NOT_APPLICABLE"
      },
      {
        "Description": "The resource has been deleted and is no longer applicable for evaluation.",
        "ReasonCode": "RESOURCE_DELETED"
      }
    ]
  },
  "CreatedAt": "2025-08-11T23:46:55.947013Z",
  "Description": "This control checks whether IAM users have MFA enabled.",
  "FindingProviderFields": {
    "Severity": {
      "Label": "CRITICAL",
      "Normalized": 1,
      "Original": "INFORMATIONAL"
    },
    "Types": [
      "Software and Configuration Checks/Industry and Regulatory Standards"
    ]
  },
  "FirstObservedAt": "2025-08-11T23:46:55.949987Z",
  "GeneratorId": "security-control/S3.1",
  "Id": "arn:aws:securityhub:us-west-2:123456789012:security-control/EC2.2/finding/1a8d732e-cd2a-3124-5148-e03df4946843",
  "LastObservedAt": "2025-08-11T23:46:55.950069Z",
  "ProcessedAt": "2025-08-11T23:46:55.950072Z",
  "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub",
  "ProductFields": {
    "ArchivalReasons:0/Description": "The control has been suppressed by an administrator.",
    "ArchivalReasons:0/ReasonCode": "RESOURCE_DELETED",
    "RelatedAWSResources:0/name": "securityhub-ebs-snapshot-public-restorable-check-17110ed4-30db-6363-1608-5fdbb8fb0502",
    "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
    "Resources:0/Id": "arn:aws:iam:ap-southeast-1:123456789012:instance/i-66bfd545-8c8e-f9e7-baaa-f9405332a8c5",
    "aws/securityhub/CompanyName": "Amazon Web Services",
    "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/EC2.17/finding/99238ac1-5f0e-1a8a-8280-210c5e1dde06",
    "aws/securityhub/ProductName": "Security Hub",
    "aws/securityhub/annotation": "This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable."
  },
  "ProductName": "Security Hub",
  "RecordState": "ARCHIVED",
  "Region": "eu-west-1",
  "Remediation": {
    "Recommendation": {
      "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
      "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
    }
  },
  "Resources": [
    {
      "Id": "arn:aws:iam:ap-southeast-1:112233445566:bucket/256cc1b5-4c81-1736-f90c-77202bd79b5a",
      "Partition": "aws",
      "Region": "eu-west-1",
      "Type": "AwsS3Bucket"
    }
  ],
  "SchemaVersion": "2018-10-08",
  "Severity": {
    "Label": "MEDIUM",
    "Normalized": 0,
    "Original": "INFORMATIONAL"
  },
  "Title": "IAM users should have MFA enabled",
  "Types": [
    "TTPs/Initial Access/Execution"
  ],
  "UpdatedAt": "2025-08-11T23:46:55.950605Z",
  "Workflow": {
    "Status": "SUPPRESSED"
  },
  "WorkflowState": "NEW"
}