1

We have a Cloud Custodian policy for AWS EC2 that posts its findings to AWS Security Hub.

Is there a way to include the EC2 OS type (Linux/Windows) in the details that are sent to Security Hub by Cloud Custodian?

We're pushing Security Hub findings to Sumo Logic & need to query these findings by OS.

Here's our policy:

policies:
- name: ec2-report-compliant-base-linux
  resource: ec2
  mode:
    type: periodic
    schedule: rate(1 hour)
  filters:
  - PlatformDetails: Linux/UNIX
  - type: value
    key: ImageId
    op: in
    value:
    - ami-0123456789
    - ami-1234567890
    - ami-2345678901
  actions:
  - type: post-finding
    confidence: 100
    severity: 0
    severity_normalized: 0
    compliance_status: PASSED
    title: Compliant AMI
    types:
    - "Software and Configuration Checks/AWS Security Best Practices/Compliant Linux AMI"

Although it's technically possible to query by the "type" in this example to get Linux instances...

%Type = Software and Configuration Checks/AWS Security Best Practices/Compliant Linux AMI

...there are other similar use cases we have, where we need to query by OS type directly in Sumo Logic.

So, is there a way to include OS type in the findings posted by Cloud Custodian to Security Hub?

Harish KM
  • 1,303
  • 7
  • 17

1 Answers1

0

Hope I understand the bounds to your setup here, but you could try to put the policy name or the post-finding title parameter to use. I'll expand on this.

So, if you could functionally separate out the policy based on the OS type, one for each Linux distribution you use in your environment, your title and all the other related fields could stay the same and you should have tags in Security Hub that is created from this said policy name.

The title parameter in post-finding actions is also used when creating tags for this event in Security Hub but I feel like the use here is somewhat reserved for your compliance scenario.

For resources that are taggable, we will tag the resource with an identifier such that further findings generate updates. The name of the tag comes from the title parameter of the post-finding action, or the policy name if title is empty. This allows different policies to update the same finding if they specify the same title.

I'm sure there are other wrapper-processes you could use such as jinja2 templates to generate your policies in the first place and potentially go down that route.

ref: post-finding: https://cloudcustodian.io/docs/aws/resources/aws-common-actions.html#post-finding (see Schema for available parameters)

Boreaz
  • 22
  • 3