Triaging Trivy AWS Alerts with Postee and AWS Security Hub
Security operators are getting overloaded with alerts and information coming from a variety of sources. Without proper automation and triage, this information often gets lost and unactioned upon. With Postee, this can be remediated with automating commonly taken operator actions ahead of time.
Recently, we added the capability for Postee alerts to be sent to AWS Security Hub for further triage and management purposes. AWS Security Hub can act as a single glass pane dashboard for all your security related findings.
Introducing Trivy AWS
Recently with the addition of AWS scanning into Trivy, we’ve improved its CSPM capabilities. Now you can be alerted for issues that exist in your AWS account and remediate them as they happen.
One example of such a scan would look like the following:
In this case you can see several misconfigurations being reported by Trivy AWS on a variety of IAM policies as part of this AWS account. Actioning on them right away might not be an easy task given time constraints the operator has to work with.
Sending Trivy AWS results to Postee
To deal with the above scenario, we can send these scan results to Postee. For this task we can make use of the Trivy Webhook Plugin, a plugin that takes Trivy results and sends them to a webhook endpoint.
You can install the Trivy Webhook Plugin as shown here:
In this case Postee is listening for events on port 8082. We also pass in Trivy arguments to define the template as ASFF, the Amazon Security Finding Format, which AWS Security Hub expects to receive.
The events are then received by Postee and transmitted over to AWS Security Hub.
In this case Postee is configured with a Route that listens to all Trivy events and sends them to the AWS Security Hub.
A sample YAML Postee configuration looks like the following:
Triaging within AWS Security Hub
After results are sent to AWS Security Hub, they will show up in the Findings dashboard.
Upon diving into the details of one of them, we have the option to further triage as needed.
To remediate this risk, you can read the Remediation Guide in AVD here.
Postee and the AWS Security Hub are now available. You can find more details on the project page at github.com/aquasecurity/postee.