DEVHIDE
Login Or Sign up

Include OS type (Linux/Windows) in Cloud Custodian's EC2 findings for AWS Security Hub

117 Views Asked by At

We have a Cloud Custodian policy for AWS EC2 that posts its findings to AWS Security Hub.

Is there a way to include the EC2 OS type (Linux/Windows) in the details that are sent to Security Hub by Cloud Custodian?

We're pushing Security Hub findings to Sumo Logic & need to query these findings by OS.

Here's our policy:

policies:
- name: ec2-report-compliant-base-linux
  resource: ec2
  mode:
    type: periodic
    schedule: rate(1 hour)
  filters:
  - PlatformDetails: Linux/UNIX
  - type: value
    key: ImageId
    op: in
    value:
    - ami-0123456789
    - ami-1234567890
    - ami-2345678901
  actions:
  - type: post-finding
    confidence: 100
    severity: 0
    severity_normalized: 0
    compliance_status: PASSED
    title: Compliant AMI
    types:
    - "Software and Configuration Checks/AWS Security Best Practices/Compliant Linux AMI"

Although it's technically possible to query by the "type" in this example to get Linux instances...

%Type = Software and Configuration Checks/AWS Security Best Practices/Compliant Linux AMI

...there are other similar use cases we have, where we need to query by OS type directly in Sumo Logic.

So, is there a way to include OS type in the findings posted by Cloud Custodian to Security Hub?

amazon-web-services amazon-ec2 sumologic cloudcustodian aws-security-hub
Original Q&A
1

There are 1 best solutions below

0
On

Hope I understand the bounds to your setup here, but you could try to put the policy name or the post-finding title parameter to use. I'll expand on this.

So, if you could functionally separate out the policy based on the OS type, one for each Linux distribution you use in your environment, your title and all the other related fields could stay the same and you should have tags in Security Hub that is created from this said policy name.

The title parameter in post-finding actions is also used when creating tags for this event in Security Hub but I feel like the use here is somewhat reserved for your compliance scenario.

For resources that are taggable, we will tag the resource with an identifier such that further findings generate updates. The name of the tag comes from the title parameter of the post-finding action, or the policy name if title is empty. This allows different policies to update the same finding if they specify the same title.

I'm sure there are other wrapper-processes you could use such as jinja2 templates to generate your policies in the first place and potentially go down that route.

ref: post-finding: https://cloudcustodian.io/docs/aws/resources/aws-common-actions.html#post-finding (see Schema for available parameters)

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-EC2

Related Questions in SUMOLOGIC

Related Questions in CLOUDCUSTODIAN

Related Questions in AWS-SECURITY-HUB

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.