Skip to content

Import your Powerpipe results into AWS SecurityHub

Continuing with what we saw in Automate your Steampipe AWS configuration with AWS Organizations, we have developed a powerpipe-securityhub-importer to import the results of your controls in AWS SecurityHub.

Powerpipe allows us to run benchmarks that, through Steampipe, provide us with the results of our controls.

architecture architecture

Powerpipe allows you to export the results of your benchmarks or controls in ASFF format. If we run these controls on an AWS organization, we will get the results from all accounts and regions in a single file.

However, we cannot import them directly into our centralized SecurityHub. We need to import each finding into the account and region where the scanned resource is located.

To facilitate this process and add some extra features, we have published powerpipe-securityhub-importer .

Requirements

To use it, you will need:

  1. An IAM Role created in all the accounts of your organization with:
    • A Trust Policy that allows sts:AssumeRole from a centralized Role.
    • A policy with permissions to import findings into SecurityHub: 
      {
  "Sid": "SecurityHubImport",
  "Effect": "Allow",
  "Action": [
    "securityhub:BatchImportFindings"
  ],
  "Resource": "*"
}
  2. AWS credentials that allow you to assume the Role required in point 1.: 
    {
  "Sid": "AssumeSecurityImportRole",
  "Effect": "Allow",
  "Action": [
    "sts:AssumeRole"
  ],
  "Resource": "arn:aws:iam::*:role/role-name-with-path"
}

Tip

For more details on how to do this, you can check out our post Deploy IAM Roles across an AWS Organization as code.

Features

  • Imports Powerpipe results in ASFF into AWS SecurityHub by AWS account and region.
  • Allows ignoring findings whose state is PASSED or NOT_AVAILABLE.
  • It's fast! 🚀

How does it work?

  1. Parses the file with findings in ASFF.
  2. Groups findings by account and region.
  3. Assumes the Role for each account.
  4. Imports findings into AWS SecurityHub for each account and region.

flow flow

How to use it?

./powerpipe_securityhub_importer -findings findings.asff.json -role role-name-with-path

To ignore findings whose state is PASSED or NOT_AVAILABLE, add the flag -failed.

Important

Check out the powerpipe-securityhub-importer: simple-github: repository for all available options. There, you'll always have the most up-to-date information.

And that's all folks! If you have any questions or comments, feel free to reach out to us.

Saludos, and may the force be with you.