Skip to content

Commit 0b9c76a

Browse files
GooygeekGooygeek
committed
feat(insights): Additional Service integrations
1 parent f426962 commit 0b9c76a

File tree

4 files changed

+274
-19
lines changed

4 files changed

+274
-19
lines changed

README.md

Lines changed: 40 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,13 @@
22

33
<!-- markdownlint-disable -->
44

5-
[![Build Status](https://github.com/gooygeek/terraform-aws-securityhub-summary-email/actions/workflows/terraform.yml/badge.svg)](https://github.com/gooygeek/terraform-aws-securityhub-summary-email/actions/workflows/terraform.yml)
6-
[![Release](https://github.com/gooygeek/terraform-aws-securityhub-summary-email/actions/workflows/release.yml/badge.svg)](https://github.com/gooygeek/terraform-aws-securityhub-summary-email/actions/workflows/release.yml)
5+
[![Build Status](https://github.com/aesop/terraform-aws-securityhub-summary-email/actions/workflows/terraform.yml/badge.svg)](https://github.com/aesop/terraform-aws-securityhub-summary-email/actions/workflows/terraform.yml)
6+
[![Release](https://github.com/aesop/terraform-aws-securityhub-summary-email/actions/workflows/release.yml/badge.svg)](https://github.com/aesop/terraform-aws-securityhub-summary-email/actions/workflows/release.yml)
77

88
<!-- markdownlint-restore -->
99

10+
Cloned from [gooygeek/terraform-aws-securityhub-summary-email](https://github.com/gooygeek/terraform-aws-securityhub-summary-email)
11+
1012
Generates and sends a periodic email summarising of Security Hub. Based on https://github.com/aws-samples/aws-security-hub-summary-email
1113

1214
This solution uses Security Hub custom insights, AWS Lambda, and the Security Hub API. A custom insight is a collection of findings that are aggregated by a grouping attribute, such as severity or status. Insights help you identify common security issues that may require remediation action. Security Hub includes several managed insights, or you can create your own custom insights.
@@ -43,7 +45,7 @@ Here's how to invoke this module in your projects:
4345

4446
```hcl
4547
module "securityhub-email" {
46-
source = "gooygeek/security-hub-summary-email/aws"
48+
source = "app.terraform.io/aesop/security-hub-summary-email/aws"
4749
version = "x.x.x"
4850
}
4951
```
@@ -88,17 +90,41 @@ Here is an example of using this module: [`examples/managed_sns`](https://github
8890

8991
## Inputs
9092

91-
| Name | Description | Type | Default | Required |
92-
| --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ------------------- | :------: |
93-
| <a name="input_additional_email_header_text"></a> [additional_email_header_text](#input_additional_email_header_text) | Additional text to append at the start of email message. | `string` | `""` | no |
94-
| <a name="input_additional_email_footer_text"></a> [additional_email_footer_text](#input_additional_email_footer_text) | Additional text to append at the end of email message. | `string` | `""` | no |
95-
| <a name="input_email"></a> [email](#input_email) | Email Address for Subscriber to Security Hub summary. Only used if SNS arn is not specified. | `string` | `null` | no |
96-
| <a name="input_insights"></a> [insights](#input_insights) | list of insights and in what order to include in the summary. Possible values are: `aws_best_practices_by_status`, `aws_best_practices_by_severity`, `cis_by_status`, `cis_by_severity`, `guardduty_findings_by_severity`, `iam_access_keys_by_severity`, `all_findings_by_severity`, `new_findings`, `top_resource_types_with_findings_by_count`. | `list` | `[]` | no |
97-
| <a name="input_name"></a> [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. | `string` | `sechub-aummariser` | no |
98-
| <a name="input_schedule"></a> [schedule](#input_schedule) | Expression for scheduling the Security Hub summary email. Default: Every Monday 8:00 AM UTC. Example: Every Friday 9:00 AM UTC: cron(0 9 ? _ 6 _). | `string` | `cron(0 8 ? * 2 *)` | no |
99-
| <a name="input_sns_topic_arn"></a> [sns_topic_arn](#input_sns_topic_arn) | ARN of the SNS Topic to send summaries to. If empty, a topic is created for you. | `string` | `null` | no |
100-
| <a name="input_kms_key_id"></a> [kms_key_id](#input_kms_key_id) | KMS Key ID to use for encrypting the topic. | `string` | `alias/aws/sns` | no |
101-
| <a name="input_tags"></a> [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). | `map(string)` | `{}` | no |
93+
| Name | Description | Type | Default | Required |
94+
| --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ------------------- | :------: |
95+
| <a name="input_additional_email_header_text"></a> [additional_email_header_text](#input_additional_email_header_text) | Additional text to append at the start of email message. | `string` | `""` | no |
96+
| <a name="input_additional_email_footer_text"></a> [additional_email_footer_text](#input_additional_email_footer_text) | Additional text to append at the end of email message. | `string` | `""` | no |
97+
| <a name="input_email"></a> [email](#input_email) | Email Address for Subscriber to Security Hub summary. Only used if SNS arn is not specified. | `string` | `null` | no |
98+
| <a name="input_insights"></a> [insights](#input_insights) | list of insights and in what order to include in the summary. See Below for possible values. | `list` | `[]` | no |
99+
| <a name="input_name"></a> [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. | `string` | `sechub-aummariser` | no |
100+
| <a name="input_schedule"></a> [schedule](#input_schedule) | Expression for scheduling the Security Hub summary email. Default: Every Monday 8:00 AM UTC. Example: Every Friday 9:00 AM UTC: cron(0 9 ? _ 6 _). | `string` | `cron(0 8 ? * 2 *)` | no |
101+
| <a name="input_sns_topic_arn"></a> [sns_topic_arn](#input_sns_topic_arn) | ARN of the SNS Topic to send summaries to. If empty, a topic is created for you. | `string` | `null` | no |
102+
| <a name="input_kms_key_id"></a> [kms_key_id](#input_kms_key_id) | KMS Key ID to use for encrypting the topic. | `string` | `alias/aws/sns` | no |
103+
| <a name="input_tags"></a> [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). | `map(string)` | `{}` | no |
104+
105+
### Possible insight values
106+
107+
- `aws_best_practices_by_status`
108+
- `aws_best_practices_by_severity`
109+
- `cis_by_status`
110+
- `cis_by_severity`
111+
- `health_by_severity` (AWS Health events)
112+
- `guardduty_by_severity` (GuardDuty)
113+
- `macie_by_severity` (Macie)
114+
- `iam_by_severity` (IAM Access Analyzer)
115+
- `ta_by_severity` (Trusted Advisor)
116+
- `inspector_by_severity` (Inspector)
117+
- `ssmpm_by_severity` (Systems Manager Patch Manager)
118+
- `ssmops_by_severity` (Systems Manager OpsCenter and Explorer)
119+
- `fwman_by_severity` (Firewall Manager)
120+
- `auditman_by_severity` (Audit Manager)
121+
- `detective_by_severity` (Detective)
122+
- `chatbot_by_severity` (Chatbot)
123+
- `all_findings_by_severity`
124+
- `new_findings`
125+
- `top_resource_types_with_findings_by_count`
126+
127+
See [documentation](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html) for a list of Security Hub integrations
102128

103129
## Outputs
104130

main.tf

Lines changed: 221 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -128,6 +128,27 @@ resource "aws_securityhub_insight" "cis_by_severity" {
128128
}
129129
}
130130

131+
resource "aws_securityhub_insight" "health_by_severity" {
132+
name = "Summary Email - Count of Health findings by severity"
133+
134+
group_by_attribute = "SeverityLabel"
135+
136+
filters {
137+
product_name {
138+
comparison = "EQUALS"
139+
value = "Health"
140+
}
141+
workflow_status {
142+
comparison = "NOT_EQUALS"
143+
value = "SUPPRESSED"
144+
}
145+
record_state {
146+
comparison = "EQUALS"
147+
value = "ACTIVE"
148+
}
149+
}
150+
}
151+
131152
resource "aws_securityhub_insight" "guardduty_by_severity" {
132153
name = "Summary Email - Count of Amazon GuardDuty findings by severity"
133154

@@ -153,6 +174,26 @@ resource "aws_securityhub_insight" "guardduty_by_severity" {
153174
}
154175
}
155176

177+
resource "aws_securityhub_insight" "macie_by_severity" {
178+
name = "Summary Email - Count of Macie findings by severity"
179+
180+
group_by_attribute = "SeverityLabel"
181+
182+
filters {
183+
product_name {
184+
comparison = "EQUALS"
185+
value = "Macie"
186+
}
187+
workflow_status {
188+
comparison = "NOT_EQUALS"
189+
value = "SUPPRESSED"
190+
}
191+
record_state {
192+
comparison = "EQUALS"
193+
value = "ACTIVE"
194+
}
195+
}
196+
}
156197
resource "aws_securityhub_insight" "iam_by_severity" {
157198
name = "Summary Email - Count of IAM Access Analyzer findings by severity"
158199

@@ -174,6 +215,174 @@ resource "aws_securityhub_insight" "iam_by_severity" {
174215
}
175216
}
176217

218+
resource "aws_securityhub_insight" "ta_by_severity" {
219+
name = "Summary Email - Count of Trusted Advisor findings by severity"
220+
221+
group_by_attribute = "SeverityLabel"
222+
223+
filters {
224+
product_name {
225+
comparison = "EQUALS"
226+
value = "Trusted Advisor"
227+
}
228+
workflow_status {
229+
comparison = "NOT_EQUALS"
230+
value = "SUPPRESSED"
231+
}
232+
record_state {
233+
comparison = "EQUALS"
234+
value = "ACTIVE"
235+
}
236+
}
237+
}
238+
239+
resource "aws_securityhub_insight" "inspector_by_severity" {
240+
name = "Summary Email - Count of Inspector findings by severity"
241+
242+
group_by_attribute = "SeverityLabel"
243+
244+
filters {
245+
product_name {
246+
comparison = "EQUALS"
247+
value = "Inspector"
248+
}
249+
workflow_status {
250+
comparison = "NOT_EQUALS"
251+
value = "SUPPRESSED"
252+
}
253+
record_state {
254+
comparison = "EQUALS"
255+
value = "ACTIVE"
256+
}
257+
}
258+
}
259+
260+
resource "aws_securityhub_insight" "ssmpm_by_severity" {
261+
name = "Summary Email - Count of Systems Manager Patch Manager findings by severity"
262+
263+
group_by_attribute = "SeverityLabel"
264+
265+
filters {
266+
product_name {
267+
comparison = "EQUALS"
268+
value = "Systems Manager Patch Manager"
269+
}
270+
workflow_status {
271+
comparison = "NOT_EQUALS"
272+
value = "SUPPRESSED"
273+
}
274+
record_state {
275+
comparison = "EQUALS"
276+
value = "ACTIVE"
277+
}
278+
}
279+
}
280+
281+
resource "aws_securityhub_insight" "ssmops_by_severity" {
282+
name = "Summary Email - Count of Systems Manager OpsCenter and Explorer findings by severity"
283+
284+
group_by_attribute = "SeverityLabel"
285+
286+
filters {
287+
product_name {
288+
comparison = "EQUALS"
289+
value = "Systems Manager OpsCenter and Explorer"
290+
}
291+
workflow_status {
292+
comparison = "NOT_EQUALS"
293+
value = "SUPPRESSED"
294+
}
295+
record_state {
296+
comparison = "EQUALS"
297+
value = "ACTIVE"
298+
}
299+
}
300+
}
301+
302+
resource "aws_securityhub_insight" "fwman_by_severity" {
303+
name = "Summary Email - Count of Firewall Manager findings by severity"
304+
305+
group_by_attribute = "SeverityLabel"
306+
307+
filters {
308+
product_name {
309+
comparison = "EQUALS"
310+
value = "Firewall Manager"
311+
}
312+
workflow_status {
313+
comparison = "NOT_EQUALS"
314+
value = "SUPPRESSED"
315+
}
316+
record_state {
317+
comparison = "EQUALS"
318+
value = "ACTIVE"
319+
}
320+
}
321+
}
322+
323+
resource "aws_securityhub_insight" "auditman_by_severity" {
324+
name = "Summary Email - Count of Audit Manager findings by severity"
325+
326+
group_by_attribute = "SeverityLabel"
327+
328+
filters {
329+
product_name {
330+
comparison = "EQUALS"
331+
value = "Audit Manager"
332+
}
333+
workflow_status {
334+
comparison = "NOT_EQUALS"
335+
value = "SUPPRESSED"
336+
}
337+
record_state {
338+
comparison = "EQUALS"
339+
value = "ACTIVE"
340+
}
341+
}
342+
}
343+
344+
resource "aws_securityhub_insight" "detective_by_severity" {
345+
name = "Summary Email - Count of Detective findings by severity"
346+
347+
group_by_attribute = "SeverityLabel"
348+
349+
filters {
350+
product_name {
351+
comparison = "EQUALS"
352+
value = "Detective"
353+
}
354+
workflow_status {
355+
comparison = "NOT_EQUALS"
356+
value = "SUPPRESSED"
357+
}
358+
record_state {
359+
comparison = "EQUALS"
360+
value = "ACTIVE"
361+
}
362+
}
363+
}
364+
365+
resource "aws_securityhub_insight" "chatbot_by_severity" {
366+
name = "Summary Email - Count of Chatbot findings by severity"
367+
368+
group_by_attribute = "SeverityLabel"
369+
370+
filters {
371+
product_name {
372+
comparison = "EQUALS"
373+
value = "Chatbot"
374+
}
375+
workflow_status {
376+
comparison = "NOT_EQUALS"
377+
value = "SUPPRESSED"
378+
}
379+
record_state {
380+
comparison = "EQUALS"
381+
value = "ACTIVE"
382+
}
383+
}
384+
}
385+
177386
resource "aws_securityhub_insight" "all_by_severity" {
178387
name = "Summary Email - Count of all unresolved findings by severity"
179388

@@ -245,8 +454,18 @@ locals {
245454
"aws_best_practices_by_severity" = aws_securityhub_insight.aws_best_prac_by_severity.arn
246455
"cis_by_status" = aws_securityhub_insight.cis_by_status.arn
247456
"cis_by_severity" = aws_securityhub_insight.cis_by_severity.arn
248-
"guardduty_findings_by_severity" = aws_securityhub_insight.guardduty_by_severity.arn
249-
"iam_access_keys_by_severity" = aws_securityhub_insight.iam_by_severity.arn
457+
"health_by_severity" = aws_securityhub_insight.health_by_severity.arn
458+
"guardduty_by_severity" = aws_securityhub_insight.guardduty_by_severity.arn
459+
"macie_by_severity" = aws_securityhub_insight.macie_by_severity.arn
460+
"iam_by_severity" = aws_securityhub_insight.iam_by_severity.arn
461+
"ta_by_severity" = aws_securityhub_insight.ta_by_severity.arn
462+
"inspector_by_severity" = aws_securityhub_insight.inspector_by_severity.arn
463+
"ssmpm_by_severity" = aws_securityhub_insight.ssmpm_by_severity.arn
464+
"ssmops_by_severity" = aws_securityhub_insight.ssmops_by_severity.arn
465+
"fwman_by_severity" = aws_securityhub_insight.fwman_by_severity.arn
466+
"auditman_by_severity" = aws_securityhub_insight.auditman_by_severity.arn
467+
"detective_by_severity" = aws_securityhub_insight.detective_by_severity.arn
468+
"chatbot_by_severity" = aws_securityhub_insight.chatbot_by_severity.arn
250469
"all_findings_by_severity" = aws_securityhub_insight.all_by_severity.arn
251470
"new_findings" = aws_securityhub_insight.new_findings.arn
252471
"top_resource_types_with_findings_by_count" = aws_securityhub_insight.top_resource_types.arn

0 commit comments

Comments
 (0)