Amazon Security Hub Integration

AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts.

With Security Hub, you can have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.

What does Opsgenie offer Amazon Security Hub users?

Use Opsgenie's Amazon Security Hub Integration to forward Amazon Security Hub findings to Opsgenie. Opsgenie determines the right people to notify based on on-call schedules– notifies via email, text messages (SMS), phone calls and iOS & Android push notifications, and escalates alerts until the alert is acknowledged or closed.

Functionality of the integration

Amazon Security Hub sends findings which match with the corresponding CloudWatch Event rule to CloudWatch. Selecting SNS topic for target let you publish the related event message for findings to SNS which will send this message to Opsgenie at the end.

Add Amazon Security Hub Integration to Opsgenie

  1. Please create an Opsgenie account if you haven't done so already.
  2. Go to Opsgenie Amazon Security Hub Integration page.


For Free and Essentials plans, you can only add the integrations from the Team Dashboards, please use the alternative instructions given below to add this integration.

  1. Specify who is notified of Amazon Security Hub alerts using the Teams field. Auto-complete suggestions are provided as you type.


An alternative for Step 2) and Step 3) is to add the integration from the Team Dashboard of the team which will own the integration. To add an integration directly to a team, navigate to the Team Dashboard and open Integrations tab. Click Add Integration and select the integration that you would like to add.

  1. Copy the API Key.
  2. Click Save Integration.

Configuration in Amazon Security Hub

  1. Go to Security Hub, click Settings and select Custom actions from tab.
  1. Click Create custom action and fill the necessary fields.
  1. You will see the created action.


You can use CloudFormation template to create CloudWatch Event Rule and SNS Topic.

Configuration in Amazon SNS

  1. Go to AWS SNS and select Topics, then click Create topic.
  1. Then, click Create subscription to send SNS messages to Opsgenie.
  1. Select HTTPS from protocol and give Opsgenie's API endpoint using the URL provided from the integration.

Configuration in Amazon CloudWatch Events

  1. Go to Amazon CloudWatch and select Rules under Events, then click Create rule.
  2. Select Event Pattern as Event Source and select Build event pattern to match all events from the dropdown menu.
  1. Edit event pattern preview and copy & paste the following.
  "source": [
  "detail-type": [
    "Security Hub Findings - Custom Action"
  "resources": [
    <custom action arn you created in security hub>
  1. Then, select SNS topic from the dropdown menu in Targets part and select the topic you created before.
  1. Click configure details and fill the necessary fields in the opening page.
  1. Then, click Create rule.

Sample Payload from Amazon Security Hub

  "Type": "Notification",
  "MessageId": "96d4c7c2-999e-57ab-aade",
  "TopicArn": "arn:aws:sns:us-west-2:test",
  "Message": "{\"version\":\"0\",\"id\":\"3ee38987-e0ce--91a1\",\"detail-type\":\"EC2 Instance State-change Notification\",\"source\":\"aws.ec2\",\"account\":\"abc\",\"time\":\"2017-09-11T10:49:41Z\",\"region\":\"us-west-2\",\"resources\":[\"arn:aws:ec2:us-west-2:asdf:instance/i-abc\"],\"detail\":{\"actionName\":\"custom-action-name\",\"actionDescription\":\"description of the action\",\"findings\":[{\"AwsAccountId\": \"abc\",\"Compliance\": {\"Status\": \"PASSED\"},\"Confidence\": 42,\"CreatedAt\": \"2017-03-22T13:22:13.933Z\",\"Criticality\": 99,\"Description\": \"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FirstObservedAt\": \"2017-03-22T13:22:13.933Z\",\"GeneratorId\": \"acme-vuln-9ab348\",\"Id\": \"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\": \"2017-03-23T13:22:13.933Z\",\"Malware\": [{\"Name\": \"Stringler\",\"Type\": \"COIN_MINER\",\"Path\": \"/usr/sbin/stringler\",\"State\": \"OBSERVED\"}],\"Network\": {\"Direction\": \"IN\",\"Protocol\": \"TCP\",\"SourceIpV4\": \"\",\"SourceIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"SourcePort\": \"42\",\"SourceDomain\": \"\",\"SourceMac\": \"00:0d:83:b1:c0:8e\",\"DestinationIpV4\": \"\",\"DestinationIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"DestinationPort\": \"80\",\"DestinationDomain\": \"\"},\"Note\": {\"Text\": \"Don't forget to check under the mat.\",\"UpdatedBy\": \"jsmith\",\"UpdatedAt\": \"2018-08-31T00:15:09Z\"},\"Process\": {\"Name\": \"syslogd\",\"Path\": \"/usr/sbin/syslogd\",\"Pid\": 12345,\"ParentPid\": 56789,\"LaunchedAt\": \"2018-09-27T22:37:31Z\",\"TerminatedAt\": \"2018-09-27T23:37:31Z\"},\"ProductArn\": \"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\": {\"generico/secure-pro/Count\": \"6\",\"Service_Name\": \"\",\"aws/inspector/AssessmentTemplateName\": \"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\": \"My prod env\",\"aws/inspector/RulesPackageName\": \"Common Vulnerabilities and Exposures\"},\"RecordState\": \"ACTIVE\",\"RelatedFindings\": [{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"123e4567-e89b-12d3-a456-426655440000\" },{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"AcmeNerfHerder--x189dx7824\" }],\"Remediation\": {\"Recommendation\": {\"Text\": \"Run sudo yum update and cross your fingers and toes.\",\"Url\": \"\"}},\"Resources\": [{\"Type\": \"AwsEc2Instance\",\"Id\": \"i-cafebabe\",\"Partition\": \"aws\",\"Region\": \"us-west-2\",\"Tags\": {\"billingCode\": \"Lotus-1-2-3\",\"needsPatching\": \"true\"},\"Details\": {\"AwsEc2Instance\": {\"Type\": \"i3.xlarge\",\"ImageId\": \"ami-abcd1234\",\"IpV4Addresses\": [ \"\", \"\" ],\"IpV6Addresses\": [ \"2001:db8:1234:1a2b::123\" ],\"KeyName\": \"my_keypair\",\"IamInstanceProfileArn\": \"arn:aws:iam:::instance-profile/AdminRole\",\"VpcId\": \"vpc-11112222\",\"SubnetId\": \"subnet-56f5f633\",\"LaunchedAt\": \"2018-05-08T16:46:19.000Z\"}}}],\"SchemaVersion\": \"2018-10-08\",\"Severity\": {\"Product\": 8.3,\"Normalized\": 25},\"SourceUrl\": \"string\",\"ThreatIntelIndicators\": [{\"Type\": \"IPV4_ADDRESS\",\"Value\": \"\",\"Category\": \"BACKDOOR\",\"LastObservedAt\": \"2018-09-27T23:37:31Z\",\"Source\": \"Threat Intel Weekly\",\"SourceUrl\": \"\"}],\"Title\": \"title\",\"Types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\": \"123578964332\",\"UserDefinedFields\": {\"reviewedByCio\": \"true\",\"comeBackToLater\": \"Check this again on Monday\"},\"VerificationState\": \"string\",\"WorkflowState\": \"NEW\"}]}}",
  "Timestamp": "2017-09-11T10:49:42.630Z",
  "SignatureVersion": "1",
  "Signature": "sign",
  "SigningCertURL": "",
  "UnsubscribeURL": ""

Updated 7 months ago

Amazon Security Hub Integration

AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.