Ingests findings from AWS Security Hub for continuous monitoring and analysis.
Details
The AWS Security Hub input collects findings from the AWS Security Hub service. These findings provide insights into the security posture of your AWS environment, helping you identify and remediate potential security issues.
The input processes messages from an Amazon SQS queue that is configured to receive findings from AWS Security Hub via EventBridge. It ensures reliable and efficient ingestion of findings for further analysis.
Prerequisites
AWS Security Hub must be enabled in your AWS account.
You must configure an EventBridge rule to send Security Hub findings to an SQS queue.
Create an IAM role that Monad can assume, granting it the necessary permissions to access the SQS queue.
Setup Instructions
Note: Skip to Step 4 if you prefer CloudFormation method
Step 1: Create an SQS Queue
Sign in to the AWS Management Console.
Navigate to the Amazon SQS service.
Click Create queue.
Select Standard queue type.
Enter a name for your queue (e.g., security-hub-findings-queue).
Keep the default settings or adjust as needed. (Retention Period of 14 days is recommended.)
Click Create queue.
Note the queue URL for later use in the configuration.
Step 2: Set Up EventBridge Rule
Navigate to the Amazon EventBridge service.
Click on Rules in the left navigation panel.
Click Create rule.
Under Define rule detail:
Enter a name (e.g., security-hub-findings-rule).
Optionally add a description.
For Rule type, select Rule with an event pattern.
Click Next.
Under Build event pattern:
For Event source, select AWS services.
For AWS service, select Security Hub.
For Event type, select Security Hub Findings - Imported.
Optionally, add filters for specific findings:
To filter by severity, select specific values under Specific Severity Label(s).
To filter by other criteria, expand the Additional settings section.
Click Next.
Under Select targets:
From the Target types dropdown, select AWS service.
From the Select a target dropdown, choose SQS queue.
For Queue, select the queue you created in Step 1.
Click Next.
Skip tags configuration by clicking Next.
Review your configuration and click Create rule.
Step 3: Create IAM Role for Access
Follow the IAM Role Setup Guide in the main AWS documentation. Use the permissions shown below to attach to the role. You can also create a user and use static credentials instead.
Replace [SQS-QUEUE-ARN] with the ARN of your SQS queue.
Give the role a name (e.g., SecurityHubFindingsRole).
Click Create role.
Note the ARN of the created role for later use in the configuration.
Step 4: CloudFormation Template (Optional)
If you prefer to deploy the entire solution using CloudFormation, you can use the following template:
Code
AWSTemplateFormatVersion: '2010-09-09'Description: 'Security Hub to EventBridge to SQS Integration'Parameters: QueueName: Type: String Default: security-hub-findings-queue Description: Name of the SQS queue RuleName: Type: String Default: security-hub-findings-rule Description: Name of the EventBridge rule MonadRoleName: Type: String Description: Role name that Monad will use to access the SQS queueResources: SecurityHubFindingsQueue: Type: AWS::SQS::Queue Properties: QueueName: !Ref QueueName MessageRetentionPeriod: 1209600 # 4 days SecurityHubFindingsQueuePolicy: Type: AWS::SQS::QueuePolicy Properties: Queues: - !Ref SecurityHubFindingsQueue PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: events.amazonaws.com Action: sqs:SendMessage Resource: !GetAtt SecurityHubFindingsQueue.Arn Condition: ArnEquals: aws:SourceArn: !GetAtt SecurityHubFindingsRule.Arn SecurityHubFindingsRule: Type: AWS::Events::Rule Properties: Name: !Ref RuleName Description: Rule to forward Security Hub findings to SQS EventPattern: source: - aws.securityhub detail-type: - Security Hub Findings - Imported State: ENABLED Targets: - Id: SendToSQS Arn: !GetAtt SecurityHubFindingsQueue.Arn SecurityHubFindingsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub arn:aws:iam::339712996529:role/monad-app Action: - sts:AssumeRole - "sts:TagSession" Policies: - PolicyName: SQSAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:ReceiveMessage - sqs:DeleteMessage - sqs:GetQueueAttributes Resource: !GetAtt SecurityHubFindingsQueue.ArnOutputs: QueueURL: Description: URL of the SQS queue Value: !Ref SecurityHubFindingsQueue RoleARN: Description: ARN of the IAM role Value: !GetAtt SecurityHubFindingsRole.Arn
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
Setting
Type
Required
Description
Queue URL
string
Yes
The URL of the SQS queue to be used for AWS Security Hub integration.
Role ARN
string
Yes
The ARN of the IAM role to assume for accessing the SQS queue.
Region
string
Yes
The AWS region where the SQS queue and Security Hub are located.
Cron
string
Yes
Cron expression for scheduling the input.
Secrets (Static Credentials Only)
Setting
Type
Required
Description
Access Key
string
Conditional
AWS Access Key ID
Secret Key
string
Conditional
AWS Secret Access Key
⚠️ Authentication: Choose either Role ARN (recommended) or static credentials. See AWS Authentication Guide for setup instructions.
Troubleshooting
If no findings are being received, check that Security Hub is properly configured and generating findings.
Verify that the EventBridge rule is correctly configured to capture Security Hub findings.
Ensure the SQS queue policy allows EventBridge to send messages to the queue.
Check IAM permissions to ensure Monad can assume the role and the role has appropriate permissions for the SQS queue.
{ "AwsAccountId": "112233445566", "CompanyName": "AWS", "Compliance": { "AssociatedStandards": [ { "StandardsId": "standards/pci-dss/v/3.2.1" } ], "SecurityControlId": "EC2.17", "Status": "WARNING", "StatusReasons": [ { "Description": "This finding has failed because the resource does not meet the requirements specified in the control.", "ReasonCode": "CONFIG_RETURNS_NOT_APPLICABLE" }, { "Description": "The resource has been deleted and is no longer applicable for evaluation.", "ReasonCode": "RESOURCE_DELETED" } ] }, "CreatedAt": "2025-08-11T23:46:55.947013Z", "Description": "This control checks whether IAM users have MFA enabled.", "FindingProviderFields": { "Severity": { "Label": "CRITICAL", "Normalized": 1, "Original": "INFORMATIONAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "FirstObservedAt": "2025-08-11T23:46:55.949987Z", "GeneratorId": "security-control/S3.1", "Id": "arn:aws:securityhub:us-west-2:123456789012:security-control/EC2.2/finding/1a8d732e-cd2a-3124-5148-e03df4946843", "LastObservedAt": "2025-08-11T23:46:55.950069Z", "ProcessedAt": "2025-08-11T23:46:55.950072Z", "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", "ProductFields": { "ArchivalReasons:0/Description": "The control has been suppressed by an administrator.", "ArchivalReasons:0/ReasonCode": "RESOURCE_DELETED", "RelatedAWSResources:0/name": "securityhub-ebs-snapshot-public-restorable-check-17110ed4-30db-6363-1608-5fdbb8fb0502", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "Resources:0/Id": "arn:aws:iam:ap-southeast-1:123456789012:instance/i-66bfd545-8c8e-f9e7-baaa-f9405332a8c5", "aws/securityhub/CompanyName": "Amazon Web Services", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/EC2.17/finding/99238ac1-5f0e-1a8a-8280-210c5e1dde06", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/annotation": "This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable." }, "ProductName": "Security Hub", "RecordState": "ARCHIVED", "Region": "eu-west-1", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "Resources": [ { "Id": "arn:aws:iam:ap-southeast-1:112233445566:bucket/256cc1b5-4c81-1736-f90c-77202bd79b5a", "Partition": "aws", "Region": "eu-west-1", "Type": "AwsS3Bucket" } ], "SchemaVersion": "2018-10-08", "Severity": { "Label": "MEDIUM", "Normalized": 0, "Original": "INFORMATIONAL" }, "Title": "IAM users should have MFA enabled", "Types": [ "TTPs/Initial Access/Execution" ], "UpdatedAt": "2025-08-11T23:46:55.950605Z", "Workflow": { "Status": "SUPPRESSED" }, "WorkflowState": "NEW"}
