Configuring CloudGuard as an AWS Security Hub Provider

For Continuous Posture assessments (only), configure CloudGuard to send alerts to the AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Security Hub.

To receive CloudGuard notifications on the Security Hub, you must onboard your AWS account to CloudGuard. See Unified Onboarding of AWS Environments. If you have already onboarded your AWS account, continue with the instructions.

To configure an AWS IAM policy for CloudGuard:

  1. In the AWS console, navigate to the IAM dashboard and select Roles.

  2. Select the CloudGuard-Connect role.

  3. In Permissions, click Add permissions > Attach policies.

  4. On the Add permissions page, click Create policy.

  5. In Create policy, select JSON.

  6. In the editor, paste this policy:

    Copy 
    { 
     "Version": "2012-10-17",
     "Statement": [
        {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                   "securityhub:UpdateFindings",
                   "securityhub:BatchImportFindings"
                 ],
             "Resource": "*"
         }
      ]
    }

  7. Optionally, add tags.

  8. Enter the policy name and click Create policy to save it.

To subscribe to the CloudGuard Integration in the Security Hub:

  1. In the AWS Security Hub, navigate to Integrations.

  2. In the search bar, enter Check Point: CloudGuard Posture Management card and click Accept.

  3. In the confirmation window, click Accept finding.

    The status of the integration changes to Accepting findings.

To configure a notification on CloudGuard:

  1. In the CloudGuard portal, go to Settings > Notifications. This opens the list of notifications.

  2. To configure notifications to AWS Security Hub as part of an existing policy, select it from the list on the left. Or to configure a new notification, click Add Notification.

  3. In the Create New Notification (or Edit Notification) window, enter the applicable information as in Notifications. Then do these steps:

    1. In Security Management Systems, select the option Send findings to AWS Security Hub.

    2. Below Select the AWS account to receive the alerts*, select your AWS Cloud Account ID. Or select Use the AWS account from which the alert originated for a policy that includes some accounts, CloudGuard sends findings to a customer's account of the alert's source.

    3. Below Select the AWS account's Region to receive the alerts*, select the same region to which the AWS account is connected. Or select Use the AWS account's region from which the alert originated for an account that exists in more than one region, CloudGuard sends findings to the account in a custom region.

      Note - If you select to use the asset's region, then it is necessary to select a default region to send the findings. This is necessary for cases where the asset, to which the finding belongs, does not belong to a region (such as an IAMClosed Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Role).

      Important - Not all AWS regions support Security Hub.

  4. To test the configuration, click Test. If the configuration is not correct, an error message shows with a list of invalid accounts in regions. An account can be valid in one region but invalid in a different region.

    If you get multiple results, click invalid regions or accounts to show the invalid accounts in regions.

  5. Click Save.

Configure Multiple AWS Accounts to One Security Hub

You can associate other AWS accounts to one (master) account, to see event notifications for all of them on the Security Hub dashboard of the master account. This is done on the AWS Security Hub console page.

To configure multiple AWS accounts to one Security Hub:

  1. The corresponding accounts from which it is necessary to see CloudGuard events must be onboarded to CloudGuard (if they are not, follow the instructions here).

  2. The corresponding accounts must be linked to the master account in AWS (in the Security Hub console).

  3. Create a CloudGuard Continuous Posture Notification that directs findings to the master account in the AWS Security Hub. Afterward, apply this policy to each of the accounts, which include the master account (see Configure a Notification on CloudGuard above).

More Links