Terraform-provider-aws: Feature Request: Security Hub

Created on 1 Dec 2018  路  15Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS has announced Security Hub: https://aws.amazon.com/security-hub/

New or Affected Resource(s)

  • aws_securityhub_account
  • aws_securityhub_member
  • aws_securityhub_product_subscription
  • aws_securityhub_standards_subscription
  • aws_securityhub_invite_accepter
  • aws_securityhub_insight

Potential Terraform Configuration

# Used to enable AWS Security Hub
resource "aws_securityhub_account" "example" {}

# Subscribe to the CIS AWS Foundations Benchmark
resource "aws_securityhub_standards_subscription" "example" {
  depends_on    = ["aws_securityhub_account.example"]
  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}

# Subscribe to a third party provider
data "aws_region" "current" {}

resource "aws_securityhub_product_subscription" "example" {
  depends_on  = ["aws_securityhub_account.example"]
  product_arn = "arn:aws:securityhub:${data.aws_region.current.name}:679703615338:product/armordefense/armoranywhere"
}

# Add a member AWS account
resource "aws_securityhub_member" "example" {
  depends_on = ["aws_securityhub_account.example"]
  account_id = "123456789012"
  email      = "[email protected]"
  invite       = true
}

resource "aws_securityhub_account" "invitee" {
  provider = "aws.invitee"
}

resource "aws_securityhub_invite_accepter" "invitee" {
  provider   = "aws.invitee"
  depends_on = ["aws_securityhub_account.invitee"]
  master_id  = "${aws_securityhub_invitation.example.master_id}"
}

# Create an insight (group of findings)
resource "aws_securityhub_insight" "example" {
  depends_on         = ["aws_securityhub_account.example"]
  name               = "Example"
  group_by_attribute = "AwsAccountId"

  filters {
    generator_id {
      comparison = "EQUALS"
      value      = "123456"
    }
  }
}

Product ARNs

Remember to replace ${var.region} as appropriate (or define that variable)

  • arn:aws:securityhub:${var.region}::product/aws/guardduty
  • arn:aws:securityhub:${var.region}::product/aws/inspector
  • arn:aws:securityhub:${var.region}::product/aws/macie
  • arn:aws:securityhub:${var.region}:733251395267:product/alertlogic/althreatmanagement
  • arn:aws:securityhub:${var.region}:679703615338:product/armordefense/armoranywhere
  • arn:aws:securityhub:${var.region}:151784055945:product/barracuda/cloudsecurityguardian
  • arn:aws:securityhub:${var.region}:758245563457:product/checkpoint/cloudguard-iaas
  • arn:aws:securityhub:${var.region}:634729597623:product/checkpoint/dome9-arc
  • arn:aws:securityhub:${var.region}:517716713836:product/crowdstrike/crowdstrike-falcon
  • arn:aws:securityhub:${var.region}:749430749651:product/cyberark/cyberark-pta
  • arn:aws:securityhub:${var.region}:250871914685:product/f5networks/f5-advanced-waf
  • arn:aws:securityhub:${var.region}:123073262904:product/fortinet/fortigate
  • arn:aws:securityhub:${var.region}:324264561773:product/guardicore/aws-infection-monkey
  • arn:aws:securityhub:${var.region}:324264561773:product/guardicore/guardicore
  • arn:aws:securityhub:${var.region}:949680696695:product/ibm/qradar-siem
  • arn:aws:securityhub:${var.region}:955745153808:product/imperva/imperva-attack-analytics
  • arn:aws:securityhub:${var.region}:297986523463:product/mcafee-skyhigh/mcafee-mvision-cloud-aws
  • arn:aws:securityhub:${var.region}:188619942792:product/paloaltonetworks/redlock
  • arn:aws:securityhub:${var.region}:122442690527:product/paloaltonetworks/vm-series
  • arn:aws:securityhub:${var.region}:805950163170:product/qualys/qualys-pc
  • arn:aws:securityhub:${var.region}:805950163170:product/qualys/qualys-vm
  • arn:aws:securityhub:${var.region}:336818582268:product/rapid7/insightvm
  • arn:aws:securityhub:${var.region}:062897671886:product/sophos/sophos-server-protection
  • arn:aws:securityhub:${var.region}:112543817624:product/splunk/splunk-enterprise
  • arn:aws:securityhub:${var.region}:112543817624:product/splunk/splunk-phantom
  • arn:aws:securityhub:${var.region}:956882708938:product/sumologicinc/sumologic-mda
  • arn:aws:securityhub:${var.region}:754237914691:product/symantec-corp/symantec-cwp
  • arn:aws:securityhub:${var.region}:422820575223:product/tenable/tenable-io
  • arn:aws:securityhub:${var.region}:679593333241:product/trend-micro/deep-security
  • arn:aws:securityhub:${var.region}:453761072151:product/turbot/turbot
  • arn:aws:securityhub:${var.region}:496947949261:product/twistlock/twistlock-enterprise

References

aws_securityhub_account

aws_securityhub_member

aws_securityhub_invite_accepter

aws_securityhub_insight

aws_securityhub_standards_subscription

aws_securityhub_product_subscription

new-resource servicsecurityhub
Source
picture gazoakley
👍9910

Most helpful comment

Any current plans for aws_securityhub_member and aws_securityhub_invite_accepter resources to support multi account setups? I think they would operate in a similar way to the existing aws_guardduty_member and guardduty_invite_accepter resources

Thanks!

picture conzy on 17 Sep 2019
👍48 👀4

All 15 comments

I'm planning to work on this.

gazoakley picture gazoakley on 5 Dec 2018
🎉6

Reference:
https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_EnableSecurityHub.html
To enable SecurityHub in the master account

https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_EnableImportFindingsForProduct.html
To enable findings for an integrated product

https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchEnableStandards.html
To turn on standards (eg. CIS benchmark)

jsamuel1 picture jsamuel1 on 5 Dec 2018

@jsamuel1 @philsynek @tdmalone @brandonstevens: Any feedback on the design/examples above? I'm considering a few things:

  • I think we need an aws_securityhub_account as a way of enabling/disabling Security Hub, but it doesn't export any attributes used by any of the other resources so they need to use an explicit dependency on it. Does this feel OK to you? The alternative would be for other resources to just enable Security Hub when needed, but then there's no good way to turn it off.

  • I might get rid of the aws_securityhub_invitation resource and have sending an invite as parameter that can be disabled on aws_securityhub_member instead. There doesn't seem to be any good use case for adding a member account but not inviting them, and once an invite is sent the only way to revoke it is to delete the member and recreate it again which doesn't fit well with Terraform.

  • I might rename aws_securityhub_standard to aws_securityhub_standard_subscription - this matches the way the API returns a StandardsSubscriptionARN when enabling a standard. Is this a better naming? It matches aws_securityhub_product_subscription. It also means if we have a data source in the future for getting a standard by name it can be called aws_securityhub_standard.

gazoakley picture gazoakley on 8 Dec 2018

Following in the same style as aws_guardduty_member I'll look at having a combined resource that creates a member and sends an invite. I'm also going to rename aws_securityhub_standard to aws_securityhub_standard_subscription

gazoakley picture gazoakley on 8 Dec 2018

re: aws_securityhub_standard_subscription - @gazoakley, might be best to keep the plural from the aws API - ie. aws_securityhub_standards_subscription.

I think the separate aws_securityhub_account is needed, so that we can turn securityhub on/off - otherwise there is no reliable way to roll back to a previous state. Would the other API's return an error if securityhub isn't on?

For organization/multi-account usage, using the _member API, does this scenario negate the need to explicity enable in the child accounts?

jsamuel1 picture jsamuel1 on 9 Dec 2018

re: aws_securityhub_standard_subscription - @gazoakley, might be best to keep the plural from the aws API - ie. aws_securityhub_standards_subscription.

It really bugs me that they named standards with a plural (when you're enabling an individual standard) but not product (which seems more natural). I guess I should rename to be consistent with the API though.

I think the separate aws_securityhub_account is needed, so that we can turn securityhub on/off - otherwise there is no reliable way to roll back to a previous state. Would the other API's return an error if securityhub isn't on?

They do return an error - I'm relying on that behaviour right now to detect if the aws_securityhub_account is present to manage state correctly. I think keeping that resource is probably the best course.

For organization/multi-account usage, using the _member API, does this scenario negate the need to explicity enable in the child accounts?

Doesn't look like it from testing through the console - you still need to send an invite and accept it in the other account even if both accounts are part of the same organization.

gazoakley picture gazoakley on 9 Dec 2018

The aws_securityhub_account and aws_securityhub_standards_subscription resources have been released in version 1.52.0 and version 1.53.0 of the AWS provider respectively. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad picture bflad on 20 Dec 2018
🎉2

any plans for aws_securityhub_insight and maybe aws_securityhub_action ?

digitalkaoz picture digitalkaoz on 1 Feb 2019
👍1

Any current plans for aws_securityhub_member and aws_securityhub_invite_accepter resources to support multi account setups? I think they would operate in a similar way to the existing aws_guardduty_member and guardduty_invite_accepter resources

Thanks!

conzy picture conzy on 17 Sep 2019
👍48 👀4

Is there any chance of a aws_securityhub_action_target resource? This would enable things like this: https://aws.amazon.com/blogs/apn/how-to-integrate-aws-security-hub-custom-actions-with-pagerduty/

Edit D'oh. This is already in progress as #10493

JonTheNiceGuy picture JonTheNiceGuy on 8 Nov 2019

The new aws_securityhub_member resource has been merged and will release with version 2.54.0 of the Terraform AWS Provider, later this week. 馃憤

bflad picture bflad on 17 Mar 2020
🎉3

I'm pretty new to Terraform development and I'm interested in taking a look at the aws_securityhub_insight resource. One question that I have is when defining the resource schema, is it necesssary to define all of the AwsSecurityFindingFilters listed here?

https://docs.aws.amazon.com/sdk-for-go/api/service/securityhub/#AwsSecurityFindingFilters

doublefelix7 picture doublefelix7 on 20 May 2020

Any current plans for aws_securityhub_member and aws_securityhub_invite_accepter resources to support multi account setups? I think they would operate in a similar way to the existing aws_guardduty_member and guardduty_invite_accepter resources

Thanks!

Looking forward to the release of aws_securityhub_invite_accepter

ghost picture ghost on 8 Jun 2020
👍10

There is also aws_securityhub_custom_action tracking an open PR ready for code review. https://github.com/terraform-providers/terraform-provider-aws/pull/10493

radius314 picture radius314 on 9 Jun 2020

Support for the aws_securityhub_action_target (custom action) resource has been merged and will release with version 3.4.0 of the Terraform AWS Provider, later this week. Thanks to @hhamalai for the implementation there. 馃憤

bflad picture bflad on 26 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  路  3Comments
andywirv picture andywirv  路  3Comments
hashibot picture hashibot  路  3Comments
blaltarriba picture blaltarriba  路  3Comments
ccslamstack picture ccslamstack  路  3Comments