feat(securityhub_check): Add check and service for SecurityHub (#1360)

Co-authored-by: Toni de la Fuente <toni@blyx.com> Co-authored-by: sergargar <sergio@verica.io> Co-authored-by: Pepe Fagoaga <pepe@verica.io>
2026-02-10 23:05:05 +00:00 · 2022-10-19 15:21:07 +02:00
parent 6e73321a95
commit 5b5b0b0405
10 changed files with 290 additions and 39 deletions
--- a/providers/aws/services/securityhub/securityhub_enabled/init.py
+++ b/providers/aws/services/securityhub/securityhub_enabled/init.py
--- a/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.metadata.json
+++ b/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.metadata.json
@@ -0,0 +1,35 @@
+{
+  "Provider": "aws",
+  "CheckID": "securityhub_enabled",
+  "CheckTitle": "Check if Security Hub is enabled and its standard subscriptions.",
+  "CheckType": ["Logging and Monitoring"],
+  "ServiceName": "securityhub",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:securityhub:region:account-id:hub/hub-id",
+  "Severity": "high",
+  "ResourceType": "AwsSecurityHubHub",
+  "Description": "Check if Security Hub is enabled and its standard subscriptions.",
+  "Risk": "AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts.",
+  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws securityhub enable-security-hub --enable-default-standards",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Security Hub is Regional. When you enable or disable a security standard, it is enabled or disabled only in the current Region or in the Region that you specify.",
+      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "",
+  "Compliance": []
+}
--- a/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py
+++ b/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py
@@ -0,0 +1,23 @@
+from lib.check.models import Check, Check_Report
+from providers.aws.services.securityhub.securityhub_client import securityhub_client
+
+
+class securityhub_enabled(Check):
+    def execute(self):
+        findings = []
+        for securityhub in securityhub_client.securityhubs:
+            report = Check_Report(self.metadata)
+            report.region = securityhub.region
+            if securityhub.status == "ACTIVE":
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Security Hub is enabled with standards {securityhub.standards}"
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"Security Hub is not enabled"
+            report.resource_id = securityhub.id
+            report.resource_arn = securityhub.arn
+            findings.append(report)
+
+        return findings
--- a/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_test.py
+++ b/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_test.py
@@ -0,0 +1,62 @@
+from unittest import mock
+
+from providers.aws.services.securityhub.securityhub_service import SecurityHubHub
+
+
+class Test_accessanalyzer_enabled_without_findings:
+    def test_securityhub_hub_inactive(self):
+        securityhub_client = mock.MagicMock
+        securityhub_client.securityhubs = [
+            SecurityHubHub(
+                "",
+                "Security Hub",
+                "NOT_AVAILABLE",
+                "",
+                "eu-west-1",
+            )
+        ]
+        with mock.patch(
+            "providers.aws.services.securityhub.securityhub_service.SecurityHub",
+            new=securityhub_client,
+        ):
+            # Test Check
+            from providers.aws.services.securityhub.securityhub_enabled.securityhub_enabled import (
+                securityhub_enabled,
+            )
+
+            check = securityhub_enabled()
+            result = check.execute()
+
+            assert result[0].status == "FAIL"
+            assert result[0].status_extended == "Security Hub is not enabled"
+            assert result[0].resource_id == "Security Hub"
+
+    def test_securityhub_hub_active(self):
+        securityhub_client = mock.MagicMock
+        securityhub_client.securityhubs = [
+            SecurityHubHub(
+                "arn:aws:securityhub:us-east-1:0123456789012:hub/default",
+                "default",
+                "ACTIVE",
+                "cis-aws-foundations-benchmark/v/1.2.0",
+                "eu-west-1",
+            )
+        ]
+        with mock.patch(
+            "providers.aws.services.securityhub.securityhub_service.SecurityHub",
+            new=securityhub_client,
+        ):
+            # Test Check
+            from providers.aws.services.securityhub.securityhub_enabled.securityhub_enabled import (
+                securityhub_enabled,
+            )
+
+            check = securityhub_enabled()
+            result = check.execute()
+
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == "Security Hub is enabled with standards cis-aws-foundations-benchmark/v/1.2.0"
+            )
+            assert result[0].resource_id == "default"