AFSBP Auto Remediation Doesnt Kick Off

[wallchristopher]

Describe the bug

After enabling AFSBP_EC2.6_AutoTrigger within EventBridge. No remediation of the finding is performed.

To Reproduce

Deploy the solution.
Enable AFSBP_EC2.6_AutoTrigger within EventBridge
Create a VPC without VPC Flow Logs enabled.
A Security Hub finding will be generated but will not be remediated.

Expected behavior

Once a new finding is generated by Security Hub. It is automatically remediated within the target environment.

Please complete the following information about the solution:

• Version: v1.3.0
• Region: us-west-2
• Was the solution modified from the version published on this repository? No
• Have you checked your service quotas for the sevices this solution uses? No
• Were there any errors in the CloudWatch Logs? No

Screenshots
AFSBP_EC2.6_AutoTrigger EventBridge Rule:

EC2.6 Security Hub Finding:

CIS Finding:

Additional context
I think the reason is within the Findings event for Security Hub. The generator ID field does not include /rule/ for AFSBP whereas PCI and CIS Findings do.

Whenever you manually activate the Security Hub Custom Action "Remediate with SHARR" it works fine.

[mobri2a]

Thanks for the thorough info. Checking into this today.

[mobri2a]

This is a confirmed bug: the GeneratorId pattern for AWS Foundational Security Best Practices follows a different pattern than CIS or PCI-DSS. The workaround is to replace the value in the AFSBP rule with the correct GeneratorId value.

Example - replace

"GeneratorId": [
    "arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0/rule/EC2.6"
]

with

"GeneratorId": [
    "aws-foundational-security-best-practices/v/1.0.0/EC2.6"
]

[mobri2a]

Digging into this further, I'm going to change the rules for all Playbooks to use StandardsArn and ControlId as follows in the next release. These fields have proven to be more stable and consistent across security standards. This would also work as a workaround for v1.3, but is a little more typing than the above suggestion. Testing this week.

{
  "detail-type": [
    "Security Hub Findings - Imported"
  ],
  "source": [
    "aws.securityhub"
  ],
  "detail": {
    "findings": {
      "Compliance": {
        "Status": [
          "FAILED",
          "WARNING"
        ]
      },
      "ProductFields": {
        "StandardsArn": [
          "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0"
        ],
        "ControlId": [
          "EC2.6"
        ]
      },
      "Workflow": {
        "Status": [
          "NEW"
        ]
      }
    }
  }
}

[mobri2a]

Confirmed above fix and added to the next release.

[schroehe]

I can add that the issue does not only affect the AFSBP playbooks but also PCI-DSS. The (new) format of GeneratorID in the Security Hub event does look like this: "GeneratorId": "pci-dss/v/3.2.1/PCI.IAM.5".

So as a workaround, the EventPattern condition in the respective PCI-DSS auto-trigger event rules need to be adjusted accordingly. (Unless the stable fix with StandardArn as suggested by @mobri2a is applied.)

[mobri2a]

Fixed in v1.4.0, which will be available within the hour.