We have a Cloud Custodian policy for AWS EC2 that posts its findings to AWS Security Hub.
Is there a way to include the EC2 OS type (Linux/Windows) in the details that are sent to Security Hub by Cloud Custodian?
We're pushing Security Hub findings to Sumo Logic & need to query these findings by OS.
Here's our policy:
policies:
- name: ec2-report-compliant-base-linux
resource: ec2
mode:
type: periodic
schedule: rate(1 hour)
filters:
- PlatformDetails: Linux/UNIX
- type: value
key: ImageId
op: in
value:
- ami-0123456789
- ami-1234567890
- ami-2345678901
actions:
- type: post-finding
confidence: 100
severity: 0
severity_normalized: 0
compliance_status: PASSED
title: Compliant AMI
types:
- "Software and Configuration Checks/AWS Security Best Practices/Compliant Linux AMI"
Although it's technically possible to query by the "type" in this example to get Linux instances...
%Type = Software and Configuration Checks/AWS Security Best Practices/Compliant Linux AMI
...there are other similar use cases we have, where we need to query by OS type directly in Sumo Logic.
So, is there a way to include OS type in the findings posted by Cloud Custodian to Security Hub?
Hope I understand the bounds to your setup here, but you could try to put the policy name or the post-finding title parameter to use. I'll expand on this.
So, if you could functionally separate out the policy based on the OS type, one for each Linux distribution you use in your environment, your title and all the other related fields could stay the same and you should have tags in Security Hub that is created from this said policy name.
The title parameter in post-finding actions is also used when creating tags for this event in Security Hub but I feel like the use here is somewhat reserved for your compliance scenario.
I'm sure there are other wrapper-processes you could use such as jinja2 templates to generate your policies in the first place and potentially go down that route.
ref: post-finding: https://cloudcustodian.io/docs/aws/resources/aws-common-actions.html#post-finding (see Schema for available parameters)