Security Hub Slack Notifications
Introduction
Each AWS account under the Modernisation Platform (MP) Organizational Unit (OU) has Security Hub enabled, and all findings are centralised into the eu-west-2 region.
To receive the Security Hub severity summary in Slack, you need to:
- Add the Slack channel name as a tag in the
<application>.json
file in modernisation-platform repository - Store the Slack webhook URL as a secret via the workflow
Steps
Add Security Hub Slack Channel Tag to <application>.json
In the <application>.json
file, add or update the securityhub-slack-channel
tag under tags
You can find your <application>.json
file in the
modernisation-platform repository
under the environments/
folder.
Example
"tags": {
"application": "modernisation-platform",
"business-unit": "Platforms",
"securityhub-slack-channel": "modernisation-platform",
"critical-national-infrastructure": false
}
Trigger the Slack Webhook Workflow
After committing the updated JSON file, merge the PR. Then, manually trigger the GitHub Actions workflow to add or update the Slack webhook URL.
Run the Update Securityhub Slack Secret Workflow
Click on “Run workflow” and provide the following inputs:
Application name
: the name of your application (e.g.,modernisation-platform
)Slack webhook URL
: the full Slack webhook URL (e.g.,<slack webhook url>
)
Once the workflow completes successfully, you will see the confirmation message:
Slack channel <slack channel name> webhook added/updated in secret
Daily Notification Job
A scheduled GitHub Actions job runs daily to send a summary of Security Hub severity findings to the Slack channel you specified in the tag.
The summary includes counts of findings by severity (e.g., Critical, High, Medium, Low) of the particular account
You can see an example of the summary results here.
If you do not receive a daily message, please raise an issue in #ask-modernisation-platform.