AWS SecurityHub Integration

Preparing AWS For kAudit SecurityHub Integration

Alcide kAudit integration with AWS SecurityHub requires configurations on both the AWS side and Alcide kAudit side. AWS configuration operations can be done via AWS Portal or CLI on the customer's AWS account to which the findings are sent, and in the AWS region of the selected SecurityHub. In the following CLI commands examples, this account is represented by ID: 111111111111. See AWS SecurityHub documentation for further information.

Enable AWS Security Hub

Enable SecurityHub on the account:

aws securityhub enable-security-hub

This change can be undone with:

aws securityhub disable-security-hub

Find the Alcide kAudit Product ARN

List the available products that can be integrated with SecurityHub, and find Alcide kAudit there. Extract the Alcide kAudit product ARN for the next steps in the configuration. If Alcide kAudit is not in the list please contact AWS support.

aws securityhub describe-products

Alcide kAudit product ARN example arn:aws:securityhub:us-west-2::product/alcide/alcide-kaudit

Enable Findings Import from Alcide kAudit Product

Enable Alcide kAudit to import findings to SecurityHub, using its product ARN and the appropriate AWS region for the SecurityHub. The response should be a matching product subscription ARN.

aws securityhub enable-import-findings-for-product --product-arn "arn:aws:securityhub:us-west-2::product/alcide/alcide-kaudit" --region us-west-2

Response:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 { "ProductSubscriptionArn": "arn:aws:securityhub:us-west-2:111111111111:product-subscription/alcide/alcide-kaudit" } Listing all of the currently anabled products in the SecurityHub should now show the Alcide kAudit subscription: aws securityhub list-enabled-products-for-import --region us-west-2 { "ProductSubscriptions": [ "arn:aws:securityhub:us-west-2:111111111111:product-subscription/alcide/alcide-kaudit", ... ] }

The product can later be disabled from importing findings with the following command and the product's subscription.

disable-import-findings-for-product --product-subscription-arn "arn:aws:securityhub:us-west-2:111111111111:product-subscription/alcide/alcide-kaudit" --region us-west-2

Configure AWS Policy to Let kAudit Import Findings

The AWS credentials for the kAudit integration may be configured in kAudit as an AWS Key pair (key ID and Secret) of a User, or as an STS role. These credentials should be associated with an AWS Policy that gives permissions to batch-import findings on the Alcide kAudit product ARN.

For example, create an AWS User with the following attached Policy permissions, and then create a Key pair for it:

1 2 3 4 5 6 7 8 9 10 11 { "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Action": "securityhub:BatchImportFindings", "Resource": "arn:aws:securityhub:us-west-2::product/alcide/alcide-kaudit" } ] }

Configure Alcide kAudit for AWS SecurityHub Integration

Configure Alcide kAudit to send its findings to SecurityHub using kAudit’s ConfigMap & Secret configuration option. See configuration guide here. Use the AWS credentials (User KeyPair or STS Role) prepared in the previous step.

View and Process Alcide kAudit Findings in AWS SecurityHub

AWS SecurityHub will now received detections (anomalies and incidents) and policy violations findings from Alcide kAudit. These findings can be viewed and processed using SecurityHub portal or CLI. For example, in the CLI, see the following for details on how to filter the findings:

aws securityhub get-findings help

As another example, in the CLI, see the following for details on how to transform the findings into insights:

aws securityhub create-insight help