How Automation Rules Work in AWS Security Hub

AWS Security Hub automation rules simplify handling security findings by automatically triggering actions based on specific conditions. Here's how they work:

• Rule Criteria: Define conditions like severity, resource type, or compliance status to activate the rule.
• Actions: Automate responses such as updating statuses, sending alerts, or initiating remediation workflows.

Key Benefits:

• Faster Responses: Automates routine tasks, reducing delays.
• Consistency: Ensures uniform handling of similar issues.
• Efficiency: Frees up security teams to focus on complex problems.

How to Set Up:

1. Access the Automation Rules Console in AWS Security Hub.
2. Define Criteria: Use fields like severity, account ID, or resource type.
3. Configure Actions: Choose actions like updating statuses, sending notifications, or triggering Lambda functions.

For example, you can configure a rule to mark critical S3 bucket findings as "IN_PROGRESS" and automatically start remediation. Learn how to prioritize rules, integrate with services like EventBridge and Lambda, and monitor performance for effective security operations.

Setting Up Automation Rules

Configuring automation rules in AWS Security Hub requires careful selection of criteria and actions to ensure effective operation.

Finding the Rules Console

To access the automation rules console:

• Log in to the AWS Management Console.
• Navigate to Security Hub.
• Select Automation rules from the left-hand menu.
• Click on Create automation rule.

This console is your hub for managing security automation. It displays key details about your rules, such as their status, last modification date, and current state.

Rule Criteria Setup

Automation rules rely on criteria based on AWS Security Finding Format (ASFF) fields.

1. Select Trigger Type

Decide whether the rule will activate when a security finding is updated or newly created. This determines when findings are evaluated.

2. Define Filtering Criteria

Use ASFF fields to set specific conditions. Examples include:

• Severity levels (e.g., CRITICAL)
• Resource types (e.g., AwsS3Bucket)
• AWS account IDs
• Finding types
• Compliance status (e.g., FAILED)

For instance, to address critical S3 vulnerabilities automatically, you might configure the following:

• Severity: CRITICAL
• ResourceType: AwsS3Bucket
• ComplianceStatus: FAILED

Once your criteria are defined, move on to setting up the actions.

Action Configuration

After defining criteria, choose and configure the actions your rule will perform.

1. Choose Action Type

Select from the following options:

• Send to EventBridge
• Update finding status
• Update finding workflow status
• Send notification

2. Set Action Parameters

Provide details for the chosen action. For example, if updating workflow status, specify:

• The new status value
• Any notes or comments
• Optional tags for additional context

3. Action Validation

Double-check your setup by reviewing criteria and actions, confirming IAM permissions, and testing with sample findings.

To keep things efficient, ensure your criteria are targeted. Avoid overly broad rules that could trigger unnecessary actions or flood your team with alerts.

Using Rules Effectively

Once you've set up your automation rules, it's crucial to apply them properly for consistent and timely responses to security findings. Here's how to make the most of your rules.

Rule Execution Order

AWS Security Hub processes automation rules one at a time, following their assigned priority. This ensures your security operations run smoothly.

When multiple rules match a finding, Security Hub follows this sequence:

• Priority Level: Rules with a higher priority (lower numerical value) are executed first.
• Creation Time: If two rules have the same priority, the older rule takes precedence.

To avoid conflicts, assign clear and distinct priority levels to your most important rules.

Choosing the Right Actions

Pick automation actions that align with your security goals. Here’s how you can approach different scenarios:

• High-Priority Security Issues
  • Route critical findings to EventBridge for remediation.
  • Change workflow status to "IN_PROGRESS."
  • Notify security teams using SNS.
• Compliance Monitoring
  • Forward compliance-related findings to specific EventBridge rules.
  • Update finding statuses based on compliance checks.
  • Use Lambda functions to create compliance reports.
• Resource Protection
  • Trigger Lambda functions to adjust security groups.
  • Automatically update IAM policies.
  • Isolate compromised resources.

Verifying Rule Effectiveness

Make sure your rules are working as intended by following these steps:

• Testing Environment
  • Set up a controlled environment with sample findings that match your rule criteria.
  • Test EventBridge rules and mock Lambda functions to validate actions.
• Monitoring Metrics
  • Track how often rules execute successfully.
  • Measure average response times.
  • Monitor false positive rates.
  • Check the completion status of automated actions.
• Validation Process
  • Generate test findings to match your rules.
  • Use CloudWatch logs to confirm actions were executed.
  • Ensure notifications are delivered properly.
  • Verify that finding statuses are updated as expected.

sbb-itb-6210c22

Connecting with AWS Services

EventBridge Integration

Automation rules work seamlessly with Amazon EventBridge to build advanced security workflows. EventBridge processes findings that align with your automation rule criteria and directs them to designated target services.

To integrate with EventBridge:

• Set up an EventBridge rule that matches Security Hub finding patterns.
• Configure the rule's targets, such as Lambda functions or SNS topics.
• Ensure IAM roles grant necessary permissions for cross-service access.

Here's an example of an EventBridge rule for detecting unauthorized API calls:

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "Type": ["TTPs/Initial Access/UnauthorizedAPICall"]
    }
  }
}

This setup enables additional automation, like triggering Lambda functions for specific actions.

Lambda Functions

Lambda functions allow you to run custom code in response to findings. They can handle tasks like automated remediation, sending custom notifications, integrating third-party tools, or enriching data.

Key points for implementing Lambda functions:

1. Error Handling

Prepare for issues like API throttling, timeouts, or service failures. Your function should log errors and recover gracefully.

2. Performance Optimization

Keep functions streamlined and efficient. Aim for execution times of 3-5 seconds to avoid timeouts.

3. Security Context

Use IAM roles with the least-privilege principle. Grant only the permissions necessary for the specific task.

Custom Action Setup

Custom actions let you create tailored responses beyond the default options.

1. Define Action Parameters

Here’s an example of a custom action to isolate a compromised instance:

{
  "Description": "Isolate compromised instance",
  "Id": "IsolateInstance",
  "Name": "Isolate EC2 Instance",
  "Parameters": {
    "InstanceId": {
      "Label": "EC2 Instance ID",
      "Required": true,
      "Type": "String"
    }
  }
}

2. Create Response Logic

Use Lambda functions to execute the custom action. These functions should:

• Validate input parameters.
• Perform the necessary security actions.
• Update the finding's status.
• Log the results of the action.

3. Test Integration

Run tests in a controlled setup to ensure the custom action works as intended. Test with sample findings to confirm proper execution and error handling.

For ongoing monitoring, maintain detailed logs in CloudWatch. Track execution times and success rates to fine-tune performance and ensure compliance.

Rule Maintenance

Rule Updates

It's important to keep automation rules aligned with changing security needs. Update your rules when:

• New threat patterns are identified
• Security policies are revised
• AWS rolls out new services or features
• Compliance standards are updated

Best practices for updates:

• Use a test environment that mirrors production to verify changes.
• Record all modifications in a change management system.
• Test updated rules with sample data to ensure triggers, actions, and integrations behave as expected.

Common Problems

Rate Limiting

• Frequent triggers can hit AWS service quotas.
• Keep an eye on CloudWatch metrics for throttling events.
• Use exponential backoff in custom actions to manage retries.

Integration Failures

• These might happen due to expired IAM credentials, network disruptions, or service outages.
• Set up CloudWatch alarms to catch failures quickly.
• For critical rules, configure fallback actions to maintain functionality.

Rule Conflicts

• Conflicts between rules can cause unexpected outcomes. Use a priority matrix and document dependencies to keep things organized.

CloudWatch metrics are your go-to tool for spotting and addressing these issues, ensuring smooth operation.

Performance Tracking

Use CloudWatch and Security Hub dashboards to monitor key metrics like:

• Rule execution time
• Success rates
• False positives
• Action completion rates

Steps to track performance:

• Configure CloudWatch to monitor:
  • How often rules are triggered
  • Completion rates for actions
  • Integration response times
  • Error trends
• Conduct regular audits:
  • Evaluate how effective your rules are and check security coverage.
  • Use CloudWatch Logs Insights to analyze execution details.
  • Set up automated alerts for any performance concerns.

Conclusion

Summary

Automation rules make security responses easier by automatically triggering actions for specific findings. This reduces the need for manual work and ensures security standards are applied consistently.

Here’s what they offer:

• Automated Response: Automatically addresses security findings, speeding up incident handling.
• Integration: Works seamlessly with EventBridge and Lambda to simplify workflows.
• Customization: Lets you set tailored criteria to meet your security needs.
• Monitoring: Tracks performance using CloudWatch.

Use these features to refine and strengthen your security processes.

Next Steps

Follow these steps to enhance your automation strategy:

1. Documentation and Training
   • Explore AWS Security Hub documentation and tutorials on AWS for Engineers to fine-tune your setup and train your team.
   • Stay informed by subscribing to AWS Security Hub release notes.
2. Optimization
   • Evaluate rule performance through CloudWatch metrics and adjust custom actions using Lambda functions.

For more resources and hands-on guides, check out AWS for Engineers. Their developer-focused content offers practical advice on AWS security and automation.

Related Blog Posts

• Automate Cross-Account Security Scans: Amazon Inspector + AWS Security Hub
• AWS Operational Excellence Pillar: Key Concepts
• 5 Best Practices for AWS Operational Excellence
• EventBridge Security Best Practices