tessl/npm-pulumi--aws

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.

—

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview

Eval results

Files

Security Hub - Security Posture Management

Name: tessl/npm-pulumi--aws
Author: tessl

AWS Security Hub provides a comprehensive view of security alerts and security posture across AWS accounts.

Common Tasks

Enable Security Hub with standards

const account = new aws.securityhub.Account("main", {});
const cifStandard = new aws.securityhub.StandardsSubscription("cis", {
    standardsArn: "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
}, { dependsOn: [account] });

Set up multi-region aggregation

const aggregator = new aws.securityhub.FindingAggregator("aggregator", {
    linkingMode: "ALL_REGIONS",
});

Configure custom insights

const insight = new aws.securityhub.Insight("critical-findings", {
    filters: {
        severityLabel: [{ comparison: "EQUALS", value: "CRITICAL" }],
        workflowStatus: [{ comparison: "EQUALS", value: "NEW" }],
    },
    groupByAttribute: "ResourceType",
    name: "Critical Unresolved Findings",
});

Core Resources

Account, StandardsSubscription, FindingAggregator

Security Hub centralizes security findings from AWS services and partner products.

class Account extends pulumi.CustomResource {
    constructor(name: string, args?: AccountArgs, opts?: pulumi.CustomResourceOptions);

    readonly id: pulumi.Output<string>;
}

interface AccountArgs {
    enableDefaultStandards?: pulumi.Input<boolean>;
}

Example: Enable Security Hub

const account = new aws.securityhub.Account("main", {
    enableDefaultStandards: true,
});

class StandardsSubscription extends pulumi.CustomResource {
    constructor(name: string, args: StandardsSubscriptionArgs, opts?: pulumi.CustomResourceOptions);

    readonly id: pulumi.Output<string>;
}

interface StandardsSubscriptionArgs {
    standardsArn: pulumi.Input<string>;
}

Example: Subscribe to security standards

// CIS AWS Foundations Benchmark
const cisStandard = new aws.securityhub.StandardsSubscription("cis", {
    standardsArn: "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
}, { dependsOn: [account] });

// AWS Foundational Security Best Practices
const fsbpStandard = new aws.securityhub.StandardsSubscription("fsbp", {
    standardsArn: "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
}, { dependsOn: [account] });

class FindingAggregator extends pulumi.CustomResource {
    constructor(name: string, args: FindingAggregatorArgs, opts?: pulumi.CustomResourceOptions);

    readonly id: pulumi.Output<string>;
}

interface FindingAggregatorArgs {
    linkingMode: pulumi.Input<"ALL_REGIONS" | "ALL_REGIONS_EXCEPT_SPECIFIED" | "SPECIFIED_REGIONS">;
    specifiedRegions?: pulumi.Input<pulumi.Input<string>[]>;
}

Example: Aggregate findings across regions

const aggregator = new aws.securityhub.FindingAggregator("global-aggregator", {
    linkingMode: "ALL_REGIONS",
});

For complete Security Hub API with 15 resources, see All Services.

Related Services

GuardDuty - Threat detection findings integrated into Security Hub
IAM Access Analyzer - IAM policy findings
Inspector - Vulnerability assessment findings
CloudWatch - Security Hub findings as events
SNS - Notifications for security findings

Install with Tessl CLI

npx tessl i tessl/npm-pulumi--aws

docs

analytics

compute

core

database

guides

migration

monitoring

networking

reference

security

storage

tessl/npm-pulumi--aws

securityhub.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}docs/security/

Security Hub - Security Posture Management

Common Tasks

Core Resources

Account, StandardsSubscription, FindingAggregator

Related Services

securityhub.mddocs/security/