Automating Remediation of Security Findings | Best Methods for AWS Security Hub | AWS Certified SysOps Administrator Exam

Automating Remediation of Security Findings

Question

You are helping your team to consolidate security findings through AWS Security Hub.

The security team asks you to automate the remediation of security findings reported from AWS Security Hub.

Which of the following methods is the most appropriate?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

Option A is incorrect because “Security Hub Insight Results” events are not equal to the security finding events.

Option B is CORRECT because Security Hub integrates with EventBridge or CloudWatch Event by forwarding its security findings.

Users can configure a rule as below:

For different types of Security Hub integration with EventBridge, please check https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-integration-types.html.

Option C is incorrect because Security Hub does not forward its security finding events to AWS Config.

Option D is incorrect because the Lambda function needs to have the logic to understand the CloudTrail logs and filter the Security Hub events.

However, users can directly get the Security Hub events through EventBridge or CloudWatch Events.

Option B is more straightforward and should be chosen.

Reference:

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-all-findings.html
Log file SSE-KMS encryption Info
Enabled

Customer managed AWS KMS key
© New
© Existing

AWS KMS alias

Q Choose a KMS alias

KMS key and $3 bucket must be in the same region.

Sure, I'd be happy to help!

AWS Security Hub is a service that provides a comprehensive view of security alerts and compliance status across an AWS account. It aggregates and normalizes findings from various AWS services, such as Amazon GuardDuty, Amazon Inspector, and AWS Config, as well as from third-party security tools.

To automate the remediation of security findings reported from AWS Security Hub, we need to identify the appropriate method to achieve this. Let's go through the options provided and see which one is the most appropriate.

Option A: Create a remediation rule in CloudWatch Event for the “Security Hub Insight Results” events.

This option is incorrect because the Security Hub Insight Results events are generated when a custom security insight is created, and it is not directly related to Security Hub findings. Therefore, it is not the appropriate method for automating the remediation of Security Hub findings.

Option B: Create a rule in EventBridge or CloudWatch Event for the “Security Hub Findings - Imported” events. Register a Lambda function as the target of the rule that defines remediation actions.

This option is the most appropriate one. When Security Hub generates findings, it sends them to EventBridge or CloudWatch Events as "Security Hub Findings - Imported" events. You can create a rule that matches these events and define a Lambda function as the target of the rule. The Lambda function can then implement the remediation actions needed to address the findings.

Option C: Create an AWS Config rule that launches a remediation Lambda function for the “Security Hub Findings” events sent from Security Hub.

This option is incorrect because AWS Config is not directly related to Security Hub findings. Although Security Hub findings can be sent to AWS Config, it is not the primary method for handling Security Hub findings.

Option D: In the CloudTrail S3 bucket, configure the S3 event notification with a Lambda function to handle the “Security Hub Finding” events.

This option is incorrect because CloudTrail is not directly related to Security Hub findings. CloudTrail can be used to capture API calls and events related to Security Hub, but it is not the primary method for handling Security Hub findings.

In conclusion, option B is the most appropriate method for automating the remediation of Security Hub findings.