# AWS Security Hub Integration

[AWS Security Hub](https://aws.amazon.com/security-hub/) is a security service that provides a comprehensive view of security alerts and compliance status across AWS accounts by aggregating findings from various AWS services and third-party tools. When used with ilert, Security Hub’s alerts are instantly routed to the right team members through multi-channel notifications and escalation policies, ensuring rapid response to security threats.

## How this integration works <a href="#create-alert-source" id="create-alert-source"></a>

AWS Security Hub generates finding events that are relayed by AWS EventBridge. If AWS EventBridge rules match, notifications will be published to specific Amazon Simple Notification Service (SNS) topics; the events will be sent to ilert.

## Architecture <a href="#create-alert-source" id="create-alert-source"></a>

<figure><img src="/files/vWIXe2iMbrSYwM1Gmngk" alt=""><figcaption></figcaption></figure>

## In ilert: Create an Amazon SNS alert source <a href="#create-alert-source" id="create-alert-source"></a>

1. Go to **Alert sources** -> **Alert sources** and click on **Create new alert source**<br>

   <figure><img src="/files/rmL9OoRxcWnDwcJZQm4Y" alt=""><figcaption></figcaption></figure>
2. Search for **Amazon SNS** in the search field, click on the Amazon SNS tile and click on **Next**.<br>

   <figure><img src="/files/1WoRRYB5U40PbeMJ7Hit" alt=""><figcaption></figcaption></figure>
3. Give your alert source a name, optionally assign teams and click **Next**.
4. Select an **escalation policy** by creating a new one or assigning an existing one.<br>

   <figure><img src="/files/y4Bakf2apGhBN56U8ZPR" alt=""><figcaption></figcaption></figure>
5. Select you [Alert grouping](/alerting/configure-alerting/alert-sources.md#alert-grouping) preference and click **Continue setup**. You may click **Do not group alerts** for now and change it later.<br>

   <figure><img src="/files/nTlB0ZCIW1SP3dj6P9nO" alt=""><figcaption></figcaption></figure>
6. The next page show additional settings such as customer alert templates or notification prioritiy. Click on **Finish setup** for now.
7. On the final page, an API key and / or webhook URL will be generated that you will need later in this guide.

   <figure><img src="/files/vavnQjheBpQYgrZpzayh" alt="" width="563"><figcaption></figcaption></figure>

## In AWS Security Hub: Create a Custom action <a href="#create-topic" id="create-topic"></a>

1. On the sidebar click on **Custom actions**.
2. Click on **Create custom action**.

<figure><img src="/files/QcTLPgeoypFwUevGBJx5" alt="" width="563"><figcaption></figcaption></figure>

3. Enter a **Action name**, **Description** and a **Custom action ID**.

<figure><img src="/files/6A5A5WpqE28QmwmhbUTz" alt="" width="563"><figcaption></figcaption></figure>

## In AWS SNS: Create a topic and a Subscription <a href="#create-topic" id="create-topic"></a>

1. On the sidebar navigate to **Topics** and click on **Create topic**.

<figure><img src="/files/r1q7FC3sn5oEY0VcuGwh" alt="" width="563"><figcaption></figcaption></figure>

2. Select **Standard** and enter a **Name**.

<figure><img src="/files/ZZ9VUo0hNXjVQVDDOzMh" alt="" width="563"><figcaption></figcaption></figure>

3. Save the topic.
4. Now create a new Subscription for this topic.
5. Select HTTPS as **Protocol** and Enter the in ilert previously generated alert source url as **Endpoint**.

<figure><img src="/files/Hch1dEC1Z6TEq7SWTTiG" alt="" width="563"><figcaption></figcaption></figure>

3. Click on **Create subscription**.

## In AWS EventBridge: Create an Event bus Rule <a href="#create-topic" id="create-topic"></a>

1. On the sidebar click on **Event buses** and then on **Create rule**.

<figure><img src="/files/JmqAoETgU1tiiPpQS6XV" alt="" width="563"><figcaption></figcaption></figure>

2. Enter a Name for the rule.

<figure><img src="/files/TpS4beR9inbw0ge9R2t9" alt="" width="563"><figcaption></figcaption></figure>

3. Enter following Event pattern and click on **Next**:

```
{
    "source": [
        "aws.securityhub"
    ],
    "resources": [
        "< ARN OF THE CUSTOM ACTION CREATED IN SECURITY HUB >"
    ]
}
```

<figure><img src="/files/LZorOReCAsYLmGsuGsAy" alt="" width="563"><figcaption></figcaption></figure>

4. Select the previous created topic as target.

<figure><img src="/files/HvSzo2PyL1BF8gDy6EMY" alt="" width="563"><figcaption></figcaption></figure>

5. Click on **Create rule** to finish the setup.

<figure><img src="/files/l3u2ePKR18MIA4Ngp9z5" alt="" width="563"><figcaption></figcaption></figure>

## FAQ <a href="#faq" id="faq"></a>

**Will alerts in ilert be resolved automatically?**

No, but you can use the **eventType** custom attribute to resolve an incident in specified **incidentKey**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ilert.com/integrations/inbound-integrations/aws-security-hub-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.