1. Assessment Phase

  • Select AWS Region
  • List SNS Topics
  • SNS Topic Option
  • Email Recipients
  • Input Severity Filters (Optional)

2. Summary Phase

  • Confirm Configuration Summary

3. Configuration Phase

  • Create New SNS Topic
  • Subscribe Emails
  • Configure GuardDuty Rule
  • Configure SecurityHub Rule
  • Configure Macie Rule
  • Configure Access Analyzer Rule
  • Attach SNS Targets with InputTransformer

4. Validation Phase

  • Validate SNS Subscription
  • EventBridge Rules Validation
  • Test Finding Simulation
1 Credits

SNS Alerts for AWS Security Findings

Overview

The plan outlines the steps to set up an AWS environment that provides notifications for security findings from AWS services such as GuardDuty, SecurityHub, Macie, and Access Analyzer using SNS notifications. This configuration ensures that security alerts trigger notifications following specific severity criteria, with options to use existing SNS topics or create new ones, and includes validation phases to test the configuration.

Execution Details

Assessment Phase

  1. Select AWS Region: Guide the user to choose an AWS region for the configuration, listing available regions and confirming the choice.
  2. List SNS Topics: Retrieve and display existing SNS topics within the chosen region for user evaluation.
  3. SNS Topic Option: Offer options to use an existing SNS topic or create a new one, allowing the user to enter or select a topic name.
  4. Email Recipients: Collect and validate email addresses that will receive security notifications.
  5. Input Severity Filters (Optional): Allow users to define severity filters for AWS services such as GuardDuty, SecurityHub, and Macie to optimize event alerts.

Summary Phase

  1. Confirm Configuration Summary: Present a comprehensive summary of all configuration details collected, including selected region, SNS topics, email addresses, service selections, and severity filters for user confirmation.

Configuration Phase

  1. Create New SNS Topic: If a new SNS topic is needed, create it using the gathered parameters.
  2. Subscribe Emails: Subscribe the collected email addresses to the configured SNS topic for notifications.
  3. Configure GuardDuty Rule: Establish an EventBridge rule for GuardDuty with an optional severity threshold to manage notifications.
  4. Configure SecurityHub Rule: Set up an EventBridge rule for SecurityHub, applying severity filters if specified.
  5. Configure Macie Rule: Deploy an EventBridge rule for Macie, incorporating severity filters as configured.
  6. Configure Access Analyzer Rule: Formulate a rule for Access Analyzer to track findings, with event pattern customization.
  7. Attach SNS Targets: Connect the SNS topic to each configured EventBridge rule to ensure findings trigger the notifications.

Validation Phase

  1. Validate SNS Subscription: Verify that all email subscriptions for the SNS topic are confirmed; prompt the user to resolve any discrepancies.
  2. EventBridge Rules Validation: Confirm that all EventBridge rules are active and correctly configured by cross-referencing rule details.
  3. Test Finding Simulation: Allow the user to simulate a test finding in GuardDuty or Macie to validate the overall configuration and notification mechanisms, ensuring they work as intended.