Integrating AWS Security Hub Alerts into Slack via PagerDuty for High and Critical Findings

[sukeshreddyg]

User Story

As a security engineer, I need to set up an automated system that sends high or critical severity findings from AWS Security Hub in individual member accounts to Slack via PagerDuty. The solution should be deployed using our Baseline Module, ensuring that the security alerts follow predefined automation and infrastructure standards. The system must update the status of findings to Notified once they are processed.

Value / Purpose

This solution will enhance the team's visibility into critical security issues across all AWS accounts within MP OU . By filtering and sending only high or critical severity findings to Slack through PagerDuty, it will prevent alert fatigue, improve incident response times, and ensure that findings are properly tracked with updated statuses.

Useful Contacts

No response

Additional Information

Architecture: Based on the provided architecture diagram, each member account uses AWS EventBridge and SNS to capture Security Hub findings. A Lambda function is then used to updating the Security Hub finding's workflow status to "Notified" upon successful notification. Slack Integration: A separate Slack channel should be created to handle these alerts, ensuring that only relevant high/critical findings are posted for quick action.

Definition of Done

• [x] Implement the architecture using the Baseline Module, ensuring that AWS Security Hub findings are processed and sent from each member account to PagerDuty, then to Slack.
• [ ] Once a finding is sent to PagerDuty, the Lambda function should update the finding's workflow status to Notified in AWS Security Hub.
• [x] Create and configure a dedicated Slack channel where high and critical alerts from PagerDuty will be posted.
• [ ] Test the entire workflow by generating findings of various severities and verifying that only high/critical findings are forwarded and the workflow status is updated correctly.