Security Hub Slack Notifications
This page covers the various Security Hub alerts that are forwarded to slack. There are two sections:
Those slack alerts reported by Security Hub for Core accounts.
Slack alerts forwarded to selected member accounts.
Core Account Alerts
Deployment via Terraform
These alerts are deployed in SECURE BASELINES via the modernisation-platform-terraform-baselines module and are generated via an EventBridge rule that scans for those events with pre-defined levels of criticality.
Initially this has been set include “CRITICAL” alerts only but in future will be extended to “HIGH” and possibly others. These levels are set as a local in the modernisation-platform repo. Currently the core-shared-services account is excluded from scope but will be added in the future.
Viewing and Resolving Security Hub Alerts
The slack alerts are routed via pagerduty to the channel modernisation-platform-sec-hub-high-alerts and occur only when the Workflow status is set to ‘NEW’. Existing alerts will not be flagged unless their status changes.
Once an alert is received in slack, the cause must be reviewed using the AWS Console and the underlying issue assessed & resolved. If resolved the appropriate Workflow Status can be applied.
Further information on the workflow for Security Hub alerts can be found in the AWS Documentation
Note that due to the behavior of PagerDuty, slack alerts will be shown as resolved after 4 hours of receipt, even though the underlying Security Hub alert has not been reviewed.
Member Account Alerts
Introduction
Each AWS account under the Modernisation Platform (MP) Organizational Unit (OU) has Security Hub enabled, and all findings are centralised into the eu-west-2 region.
To receive the Security Hub severity summary in Slack, you need to:
- Add the Slack channel name as a tag in the
<application>.jsonfile in modernisation-platform repository - Store the Slack webhook URL as a secret via the workflow
Steps
Add Security Hub Slack Channel Tag to <application>.json
In the <application>.json file, add or update the securityhub-slack-channel tag under tags
You can find your <application>.json file in the
modernisation-platform repository
under the environments/ folder.
Example
"tags": {
"application": "modernisation-platform",
"business-unit": "Platforms",
"securityhub-slack-channel": "modernisation-platform",
"critical-national-infrastructure": false
}
Trigger the Slack Webhook Workflow
After committing the updated JSON file, merge the PR. Then, manually trigger the GitHub Actions workflow to add or update the Slack webhook URL.
Run the Update Securityhub Slack Secret Workflow
Click on “Run workflow” and provide the following inputs:
Application name: the name of your application (e.g.,modernisation-platform)Slack webhook URL: the full Slack webhook URL (e.g.,<slack webhook url>)
Once the workflow completes successfully, you will see the confirmation message:
Slack channel <slack channel name> webhook added/updated in secret
Daily Notification Job
A scheduled GitHub Actions job runs daily to send a summary of Security Hub severity findings to the Slack channel you specified in the tag.
The summary includes counts of findings by severity (e.g., Critical, High, Medium, Low) of the particular account
You can see an example of the summary results here.
If you do not receive a daily message, please raise an issue in #ask-modernisation-platform.