Security Hub
Through the use and configuration of the Tenable.io to AWS Security Hub Transformer, Tenable.io can send vulnerabilities to AWS Security Hub. This tool consumes Tenable.io asset and vulnerability data, transforms that data into the AWS Security Hub Finding format, and then uploads the resulting data into AWS Security Hub.
Note: The script does not need to be run in AWS.
The tool can be run either as a one-shot docker container or as a command-line tool:
- To run as a docker image, you must build the image and then pass the necessary secrets on to the container.
-
To run as a command-line tool, you must install the required python modules and then run the tool using either environment variables or by passing the required parameters as run-time parameters.
Requirements
- Tenable.io account
- Tenable.io AWS connector enabled and configured
- AWS Security Hub
- Tenable.io Provider enabled and configured in Security Hub
Installation
To build the Docker image, run the following script:
docker build -t tio2sechub:latest .
To install python requirements, run the following script:
pip install -r requirements.txt
Enable Script in Security Hub
To enable the script in Security Hub:
- Log in to Security Hub.
- If you have not yet enabled Security Hub, click Enable Security Hub.
- Navigate to Settings > Providers.
- In the Search box, type Tenable.
- Click Configure.
Your account subscribes to accept events from the script.
Configuration
The following lists the command-line arguments as well as the equivalent environment variables:
usage: sechubingest.py [-h] [--tio-access-key TIO_ACCESS_KEY]
[--tio-secret-key TIO_SECRET_KEY]
[--batch-size BATCH_SIZE] [--aws-region AWS_REGION]
[--aws-account-id AWS_ACCOUNT_ID]
[--aws-access-id AWS_ACCESS_ID]
[--aws-secret-key AWS_SECRET_KEY]
[--log-level LOG_LEVEL] [--since OBSERVED_SINCE]
[--run-every RUN_EVERY]
optional arguments:
-h, --help show this help message and exit
--tio-access-key TIO_ACCESS_KEY
Tenable.io Access Key
--tio-secret-key TIO_SECRET_KEY
Tenable.io Secret Key
--batch-size BATCH_SIZE
Size of the batches to populate into Security Hub
--aws-region AWS_REGION
AWS region for Security Hub
--aws-account-id AWS_ACCOUNT_ID
AWS Account ID
--aws-access-id AWS_ACCESS_ID
AWS Access ID
--aws-secret-key AWS_SECRET_KEY
AWS Secret Key
--log-level LOG_LEVEL
Log level: available levels are debug, info, warn,
error, crit
--since OBSERVED_SINCE
The unix timestamp of the age threshold
--run-every RUN_EVERY
How many hours between recurring imports
To run the import once, run the following script:
./sechubingest.py \
--tio-access-key {TIO_ACCESS_KEY} \
--tio-secret-key {TIO_SECRET_KEY} \
--aws-region us-east-1 \
--aws-account-id {AWS_ACCOUNT_ID} \
--aws-access-id {AWS_ACCESS_ID} \
--aws-secret-key {AWS_SECRET_KEY} \
To run the import once an hour, run the following script:
./sechubingest.py \
--tio-access-key {TIO_ACCESS_KEY} \
--tio-secret-key {TIO_SECRET_KEY} \
--aws-region us-east-1 \
--aws-account-id {AWS_ACCOUNT_ID} \
--aws-access-id {AWS_ACCESS_ID} \
--aws-secret-key {AWS_SECRET_KEY} \
--run-every 1
To run the same import using environment vars, run the following script:
export TIO_ACCESS_KEY="{TIO_ACCESS_KEY}"
export TIO_SECRET_KEY="{TIO_SECRET_KEY}"
export AWS_REGION="us-east-1"
export AWS_ACCOUNT_ID="{AWS_ACCOUNT_ID}"
export AWS_ACCESS_ID="{AWS_ACCESS_ID}"
export AWS_SECRET_KEY="{AWS_SECRET_KEY}"
export RUN_EVERY=1
./sechubingest.py