Integration between AWS Security Hub & ServiceNow

AWS Security Hub — What it is

AWS Security Hub is an AWS Service that checks and centralizes security alerts. It detects deviations from security best practices defined by AWS Foundational Security Best Practices, automatically aggregates security findings in a standardized data format from AWS and partner services, and accelerates mean time to resolution with automated response and remediation actions.

AWS Security Hub — Benefits

• Reduced effort to collect and prioritize findings.
• Consolidated view of findings against accounts and providers.
• Automatic security checks with AWS Foundational Security Best Practices, SIS AWS Foundations Benchmark and/or PCI DSS (stands for PCI Security Standards Council, is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide).
• Ability to automate remediation of findings.

AWS Security Hub — Integrations

Available AWS Integrations, here.

• AWS Audit Manager (Receives findings)
• AWS Chatbot (Sends findings)
• AWS Config (Sends findings)
• Amazon Detective (Linked from Security Hub)
• AWS Firewall Manager (Sends findings)
• Amazon GuardDuty (Sends findings)
• AWS Health (Sends findings)
• IAM Access Analyzer (Sends findings)
• Amazon Inspector (Sends findings)
• Amazon Macie (Sends findings)
• AWS Systems Manager Explorer and OpsCenter (Receives and updates findings)
• AWS Systems Manager Patch Manager (Sends findings)
• AWS Trusted Advisor (Receives findings)

Available third-party integrations, here.

AWS Security Hub — Pricing and Usage

When you enable AWS Security Hub you have a 30 Day Trial to understand what the Security Hub cost will be after the free trial ends. During this time you will only be charged for usage of other services that Security Hub interacts with, such as AWS Config Items.

When you try to enable Security Hub for the first time you will see this field:

In the Security Hub at the Managed Account, after a while, you are going to see the monthly pricing in the “Usage” tab:

And below is the information about the pricing of the Service itself:

Note: Pricing here is not very precise, because natively AWS Security Hub consists of AWS Config Rules, which is one pricing, and Findings on Security Hub, which is another pricing One depends on the other.

ServiceNow — What it is

ServiceNow is a cloud-based company that provides software as a service (SaaS) for technical management support. The company specializes in IT services management (ITSM), IT operations management (ITOM) and IT business management (ITBM), allowing users to manage projects, teams and customer interactions via a variety of apps and plugins.

ServiceNow — Benefits

• Ease of Use
• Process Optimization
• Faster Workflows
• Versatility
• Improved Decision-Making
• Efficient task management
• Higher ROI
• Integration
• Less infrastructure Costs

Integration Architecture between AWS Security Hub and ServiceNow

Delegating Administrator on Master account to a Managed Account:

Integration Architecture:

High-Level Architecture

AWS Security Hub — Enabling (AWS Console)

Setup in AWS for the Integration between AWS Security Hub and ServiceNow

CloudFormation template here.

In the AWS Security Hub delegated account, you will need to create the AWS resources for the integration to work. Above is an AWS Documentation that has a CloudFormation template already set for you to use.

You will need to deploy these resources (besides the IAM Resources) across all AWS AZ that your AWS Organization uses. AWS Security Hub will also have to be looking at these locations and get findings from them.

I recommend separating the Global resources from the other ones in the template, deploying the global resources one time, and the rest deploy across each Region in your managed account.

Setup in ServiceNow for the Integration between AWS Security Hub and ServiceNow

First, you will need to install the ServiceNow plugin “AWS Service Management Connector for ServiceNow” at the ServiceNow Store.

Then configure the account sync with the IAM Users SCEndUser and SCSyncUser Credentials that we created at AWS (They are in the CloudFormation template above). Pay attention that we need to check the “integrate with AWS Security hub” checkbox and add the AWS Regions where our AWS Security Hub has findings.

https://www.youtube.com/watch?v=OYTi0sjEggE&ab_channel=AmazonWebServices

Then click on “Save” and the other button to test/validate the sync.

Note: It may take up to 2 hours to sync every finding that we have at our AWS environment.

When it finishes it will look something like this:

https://www.youtube.com/watch?v=OYTi0sjEggE&ab_channel=AmazonWebServices

After that, your organization can do whatever it wants with this information. We can automatically generate Incidents through every finding or specify the level of severity/priority that I want to an Incident be created from:

https://www.youtube.com/watch?v=OYTi0sjEggE&ab_channel=AmazonWebServices

When the Incident is created, it will be filled with the information that was at the finding:

https://www.youtube.com/watch?v=OYTi0sjEggE&ab_channel=AmazonWebServices

Conclusion

In this article we explain what AWS Security Hub and ServiceNow are, their benefits, how they work, some architecture, findings delegation and how to set them up.

Which security checks are covered: AWS Foundational Security Best Practices, SIS AWS Foundations Benchmark and/or PCI DSS (remember that this one costs extra).

Pay attention to the pricing in AWS since it depends on the security check that you want, findings, and AWS Config Rules.

I hope this information will be useful. Please feel free to comment or raise any questions.