Aqua Blog

Triaging Trivy AWS Alerts with Postee and AWS Security Hub

Simar Singh
September 30, 2022
Triaging Trivy AWS Alerts with Postee and AWS Security Hub

Security operators are getting overloaded with alerts and information coming from a variety of sources. Without proper automation and triage, this information often gets lost and unactioned upon. With Postee, this can be remediated with automating commonly taken operator actions ahead of time.

Recently, we added the capability for Postee alerts to be sent to AWS Security Hub for further triage and management purposes. AWS Security Hub can act as a single glass pane dashboard for all your security related findings.

Introducing Trivy AWS

Recently with the addition of AWS scanning into Trivy, we’ve improved its CSPM capabilities. Now you can be alerted for issues that exist in your AWS account and remediate them as they happen.

One example of such a scan would look like the following:

misconfigurations being reported by Trivy AWS

In this case you can see several misconfigurations being reported by Trivy AWS on a variety of IAM policies as part of this AWS account. Actioning on them right away might not be an easy task given time constraints the operator has to work with.

Sending Trivy AWS results to Postee

To deal with the above scenario, we can send these scan results to Postee. For this task we can make use of the Trivy Webhook Plugin, a plugin that takes Trivy results and sends them to a webhook endpoint.Trivy Webhook Plugin, a plugin that takes Trivy results and sends them to an webhook endpoint
You can install the Trivy Webhook Plugin as shown here:

Install the Trivy Webhook Plugin

Running the above scan but this time using the plugin would look like the following:

Running the above scan but this time using the plugin

In this case Postee is listening for events on port 8082. We also pass in Trivy arguments to define the template as ASFF, the Amazon Security Finding Format, which AWS Security Hub expects to receive.

The events are then received by Postee and transmitted over to AWS Security Hub.

Received by Postee and transmitted over to AWS Security Hub

In this case Postee is configured with a Route that listens to all Trivy events and sends them to the AWS Security Hub.

Configured with a Route that listens to all Trivy events and sends them to the AWS

A sample YAML Postee configuration looks like the following:

YAML Postee configuration

 

Triaging within AWS Security Hub

After results are sent to AWS Security Hub, they will show up in the Findings dashboard.

Findings dashboard

 

Upon diving into the details of one of them, we have the option to further triage as needed.

Option to further triage

To remediate this risk, you can read the Remediation Guide in AVD here.

Remediation Guide in AVD

Available Today

Postee and the AWS Security Hub are now available. You can find more details on the project page at github.com/aquasecurity/postee.

Published under: AQUA OPEN SOURCE

Tags: ,

Simar Singh
Simar is an Open Source Engineer at Aqua. He works on projects that improve container security. He is also an avid open source contributor outside of work and currently maintains a few projects. While not in front of a computer screen, he likes to row competitively, ride a bike and travel.
Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security stops cloud native attacks across the application lifecycle and is the only company with a $1M Cloud Native Protection Warranty to guarantee it. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Settings |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links