Configuring CloudGuard as an AWS Security Hub Provider

For Continuous Posture assessments (only), configure CloudGuard to send alerts to the AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Security Hub.

To receive CloudGuard notifications on the Security Hub, you must onboard your AWS account to CloudGuard. See Unified Onboarding of AWS Environments. If you have already onboarded your AWS account, continue with the instructions.

To configure an AWS IAM policy for CloudGuard:

  1. In the AWS console, navigate to the IAM dashboard and select Roles.

  2. Select the CloudGuard-Connect role.

  3. In Permissions, click Add permissions > Attach policies.

  4. On the Add permissions page, click Create policy.

  5. In Create policy, select JSON.

  6. In the editor, paste this policy:

    Copy 
    { 
                            "Version": "2012-10-17",
                            "Statement": [
                            {
                            "Sid": "VisualEditor0",
                            "Effect": "Allow",
                            "Action": [
                            "securityhub:UpdateFindings",
                            "securityhub:BatchImportFindings"
                            ],
                            "Resource": "*"
                            }
                            ]
                        }

  7. Optionally, add tags.

  8. Enter the policy name and click Create policy to save it.

To subscribe to the CloudGuard Integration in the Security Hub:

  1. In the AWS Security Hub, navigate to Integrations.

  2. In the search bar, enter Check Point: CloudGuard Posture Management card and click Accept.

  3. In the confirmation window, click Accept finding.

    The status of the integration changes to Accepting findings.

To configure CloudGuard to send notifications to AWS Security Hub:

  1. In the CloudGuard portal, from the left menu, click Integration Hub.

  2. In the Cloud Services section, click AWS Security Hub.

    The AWS Security Hub sliding menu opens.

  3. Create the integration.

Configure Multiple AWS Accounts to One Security Hub

You can associate other AWS accounts to one (master) account, to see event notifications for all of them on the Security Hub dashboard of the master account. This is done on the AWS Security Hub console page.

To configure multiple AWS accounts to one Security Hub:

  1. The corresponding accounts from which it is necessary to see CloudGuard events must be onboarded to CloudGuard (if they are not, follow the instructions here).

  2. The corresponding accounts must be linked to the master account in AWS (in the Security Hub console).

  3. Create a CloudGuard Continuous Posture Notification that directs findings to the master account in the AWS Security Hub. Afterward, apply this policy to each of the accounts, which include the master account (see Configure a Notification on CloudGuard above).

More Links