Skip to content

[Issue #6986] Set up alerts from AWS Security Hub #7218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Issue #6986] Set up alerts from AWS Security Hub #7218

wants to merge 3 commits into from

Conversation

@sean-navapbc
Copy link
Collaborator

@sean-navapbc sean-navapbc commented Nov 24, 2025

Summary

  • Created SNS topic for Security Hub findings with email subscription to [email protected]
  • Added EventBridge rules to capture CRITICAL and HIGH severity findings automatically
  • Configured formatted alerts with finding details, affected resources, and remediation steps
  • Added optional Slack integration configuration (commented out, ready to enable)
  • Included comprehensive documentation for setup, testing, and customization

Changes

New file: infra/accounts/security_hub_alerts.tf

  • SNS topic: security-hub-findings
  • EventBridge rules for CRITICAL and HIGH severity findings
  • SNS topic policy allowing EventBridge to publish
  • Formatted alert messages with direct links to AWS console

New file: infra/accounts/SECURITY_HUB_ALERTS.md

  • Setup documentation
  • Testing instructions
  • Slack integration guide
  • Customization examples
  • Troubleshooting tips

Modified: infra/project-config/system_notifications.tf

  • Added security-alerts channel configuration for optional Slack integration

Alert Format

Each alert includes:

  • Finding title and severity (🚨 CRITICAL or ⚠️ HIGH)
  • Compliance status
  • Description of the issue
  • Affected resource details
  • AWS account and region
  • Remediation recommendations
  • Direct link to Security Hub console

How It Works

  1. Security Hub detects a CRITICAL or HIGH severity finding
  2. EventBridge rule matches the finding based on severity and status (NEW)
  3. Finding details are formatted and sent to SNS topic
  4. Email notification is delivered to [email protected]
  5. (Optional) Can be extended to Slack by enabling the configuration

Test Plan

  • Run terraform init and terraform plan in infra/accounts/
  • Review the planned resources (SNS topic, EventBridge rules, subscriptions)
  • Apply with terraform apply
  • Confirm the SNS subscription email sent to [email protected]
  • (Optional) Test with a sample finding using the AWS CLI command in the documentation
  • Verify alert is received via email
  • Archive test finding in Security Hub console

Notes

  • Email subscription requires confirmation (check spam folder)
  • Alerts only trigger for NEW findings (not existing ones)
  • Slack integration is configured but commented out - requires GitHub secrets setup
  • See SECURITY_HUB_ALERTS.md for full documentation

[Issue #6986] Add AWS Security Hub alerts configuration
39c3df0 
- Created SNS topic for Security Hub findings with email subscription
- Added EventBridge rules to capture CRITICAL and HIGH severity findings
- Configured alert formatting with detailed finding information and remediation steps
- Added optional Slack integration configuration in system notifications
- Included comprehensive documentation for setup and customization
Sean Thomas added 2 commits November 24, 2025 16:18
[Issue #6986] Add Slack webhook integration with Lambda
41c0b6f 
- Created Lambda function to post Security Hub findings to Slack
- Lambda retrieves Slack webhook URL from AWS Secrets Manager
- Added IAM roles and policies for Lambda execution and Secrets Manager access
- Formatted Slack messages with color-coded severity indicators
- Updated documentation with Slack webhook setup instructions
- All Slack resources are commented out and ready to enable
[Issue #6986] Enable Slack integration and fix EventBridge targets
c4088b8 
- Removed input_transformer from EventBridge targets (pass raw event to SNS)
- Updated Lambda function to parse full EventBridge event from SNS
- Enhanced Slack message formatting with rich attachments and fields
- Applied terraform changes successfully - all resources created
- EventBridge rules now route CRITICAL and HIGH findings to SNS
- SNS triggers both email and Lambda (Slack webhook)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdragon mdragon Awaiting requested review from mdragon mdragon is a code owner

@joshtonava joshtonava Awaiting requested review from joshtonava joshtonava is a code owner

@chouinar chouinar Awaiting requested review from chouinar chouinar is a code owner

@prasnava prasnava Awaiting requested review from prasnava prasnava is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sean-navapbc