Skip to content

AWS Security Hub Integration

Use Case

The SecureCloudDB and AWS Security Hub integration allows you to import real-time findings generated via security policy alerts in SecureCloudDB into Security Hub.

Benefits of this integration include the ability to:

  • View, analyze and manage database-specific vulnerabilities and threats in AWS
  • Instantly correlate findings from other tools and prioritize risks
  • Automate remediation via Lambda functions and decrease incident response time
  • Identify and consistently enforce compliance with security rules
  • Protect public cloud databases from attacks

How it Works

Create policies in your SecureCloudDB account related to Database Activity Monitoring and configurations. These policies will be continuously checked against the information in your AWS databases. When alerts are triggered because of a policy violation, they are converted into findings and sent from your SecureCloudDB account into your Security Hub account.

SecureCloudDB Findings

With proper configuration of the criteria you want to alert on, SecureCloudDB can produce and send findings based on:

  • AWS Security Best Practices
  • AWS Config Managed Rules
  • CIS Security Benchmarks
  • Custom SecureCloudDB Assessments
  • Unusual Activity (Users, Databases, IP Addresses, Etc.)
  • Effects (Data Exposure, Data Destruction, Etc.)
  • Sensitive Data Identifications (PII, Passwords, Etc.)
SecureCloudDB Native Finding Types ASFF-Formatted Finding Types
Data Exposure Effects, Sensitive Data Identifications
Auditability Software and Configuration Checks
Business Continuity Software and Configuration Checks
Data Protection Effects, Sensitive Data Identifications
Activity Monitoring Unusual Behavior, TTPs

Findings Sent To Security Hub:

{
  "id": <alert-reference>,
  "awsAccountId": <customer-account-id>,
  "createdAt": <alert-creation-datetime>,
  "generatorId": <alert-policy-name>,
  "description": <alert-policy-description>,
  "productArn": <customer-security-hub-account-arn>,
  "resources": <arn-of-the-database-associated-to-the-alert>,
  "schemaVersion": "2018-10-08",
  "severity": <alert-severity-mapping>,
  "title": <custom-finding-title>,
  "types": <always-empty>,
  "updatedAt": <alert-creation-datetime>
}

<alert-reference> is a mechanism that SecureCloudDB uses to uniquely identify an alert on our platform.

<custom-finding-title> reflects the rule name for rule alerts and the policy name for database activity alerts.

<alert-severity-mapping> reflects the severity of the policy associated with the alert and is mapped as follows:

  • error alerts are defined as CRITICAL severity
  • warning alerts are defined as HIGH severity
  • informational alerts are defined as INFORMATIONAL severity
  • MEDIUM and LOW severities are not used

Integration Architecture

SecureCloudDB connects to Security Hub via the Amazon Software Development Kit (AWS SDK) from inside containers running on Amazon Elastic Kubernetes Service (AWS EKS). A specific function converts SecureCloudDB alerts into the Security Hub Finding Request. Findings are sent from your SecureCloudDB account into your Security Hub account.

Sending Process

SecureCloudDB’s sending process runs periodically, reads a log for as many findings as it can send, then sends those findings to Security Hub. When a sender is throttled, we begin an exponential backoff process before trying again. On a successful send, the sender updates its place in the log.

SecureCloudDB keeps a position in our alert processor of the last finding that was sent to Security Hub. In the event that findings need to be re-sent because they did not make it through, the findings will be retried (backing off exponentially) from the last position until success.

Findings are batched and sent to Security Hub in less than 60 seconds from when they are discovered.

Region Support

This integration supports all regions with the exception of the China - Beijing (cn-north-1) and China - Ningxia (cn-northwest-1) regions.

Security Hub Setup

Instructions on how to configure the SecureCloudDB and Security Hub integration in your account can be found here.