Use generative AI to summarize Security Hub findings
This tutorial demonstrates how to use Amazon Bedrock to create generative AI summaries of AWS Security Hub findings.
Jeremy Schiefer
Amazon Employee
Published Oct 23, 2024
AWS Security Hub is a cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation. Security Hub aggregates your security alerts in a standardized format from AWS and Partner services. The standardized AWS Security Finding format enables customers to create remediation and enrichment workflows without having to spend time on data parsing or normalization efforts.
Security Hub generates findings based on a set of rules called security controls. After enabling Security Hub, you choose to enable a security standard which is a collection of security controls. Security Hub automatically sends new findings and updates to existing findings to EventBridge as EventBridge events. You create custom actions that allow you to send selected findings to EventBridge.
These findings contain information including the title, description, severity, resource specific information and other fields as described in the AWS Security Finding Format. In this blog, you will learn how to use generative AI with Amazon Bedrock to summarize this information into a simple 50-word summary.
In this blog, you create a custom action that sends specific Security Hub findings to EventBridge. An EventBridge rule listens for the event, and invokes an AWS Lambda function. The Lambda function invokes the Amazon Bedrock service to summarize the finding. The finding details are updated in Security Hub with the summary for the user to review.
This walkthrough demonstrates how to deploy and configure an AWS Security Hub custom action to summarize findings.
To complete the steps in this blog, you must first complete the prerequisites.
- Enable AWS Security Hub and have at least one finding in your account.
- Enable model access to Anthropic Claude 3.5 Sonnet.
In this step you will create a custom action to run the summarization.
- Create a custom action following the steps creating a custom action from the AWS Security Hub user guide.
- For Name, enter Summarize (Explain).
Make note of the custom action ARN. You use the ARN when you deploy the CloudFormation template.
In this step, you will deploy the AWS CloudFormation template that creates the EventBridge rule and AWS Lambda function.
- Navigate to the generative AI security hub summary GitHub and download the template.
- Follow the steps for creating a stack in the AWS CloudFormation user guide.
- For pCustomActionARN parameter, enter the ARN from step 1.
In this step, you will test the solution and summarize a finding.
- Navigate to the Security Hub console.
- In the navigation pane, choose Findings.
- Select a finding you to summarize, and choose Actions, Summarize (Explain).
4. The Lambda function is invoked and the finding is summarized. The Lambda function will update the finding. It may take a couple seconds to process and generate the summary. You view the result on the history tab.
In this step, you will learn how to update the prompt for different types of summaries depending on your audience.
- Navigate to the AWS Lambda console.
- Select the function you deployed in step 1. The function will contain the name fnCreateSummary.
- Update the variable system_prompt. The system prompt will change how the summarizes are created. To learn prompt engineering, visit the prompt engineering guidelines in the Amazon Bedrock user guide. The function will include the first 512 characters when updating the finding note.
If you no longer need the solution you must remove the resources created to avoid costs.
- Navigate to the CloudFormation console.
- Select the stack you created in step 2.
- Choose Delete.
To remove access to the Claude 3 model.
- Navigate to the Amazon Bedrock console.
- Select Modify model access.
- Clear the box next to Claude 3 Sonnet.
- Choose Next.
- Choose Submit to save your changes.
If you enabled Security Hub, follow the instructions for disabling Security Hub in the AWS Security Hub user guide.
In this post, you learned that Security Hub is the centralized place for Security findings for AWS and Partner services. These findings contain information to help you take action and improve your security posture.
All security findings and updates to findings create EventBridge events. Custom actions are used to invoke a Lambda function, or other EventBridge targets. You learned how to use generative AI to summarize finding based on a custom action for different audiences. Customers that need summarize every finding must create an EventBridge rule that is invoked on each finding. The cost of the solution is based on the number of findings you summarize. Review Amazon Bedrock pricing for Claude 3 for pricing information.
The summaries in this blog are created by generative AI. Generative AI is non-deterministic and will make mistakes. You must test and determine if the results meet your security, compliance, and other organization polices. You must consider adding a note that the summary was generated by generative AI.
Security Hub has a 30-day trial for each AWS account in every Region. During the free trial, you get an estimate of your monthly bill. To enable Security Hub, follow the steps for enabling Security Hub in the AWS Security Hub user guide.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.