├── .github └── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md └── security-hub-full-report-email.json /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Additional comments** 27 | Add any other comment about the problem here. 28 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT No Attribution 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so. 10 | 11 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 12 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 13 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 14 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 15 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 16 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 17 | 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## How to Setup a Recurring AWS Security Hub CSV Full Report with email notification 2 | This solution uses AWS Security Hub API, AWS Lambda, Amazon S3, and Amazon SNS. List of findings are aggregated into csv file, to help identify common security issues that may require remediation action. 3 | 4 | ### Overview 5 | Security Hub includes various security standards and integrations that you can enable to understand your overall security state. A recurring Security Hub CSV full report with email notification that provides recipients with a proactive communication summarizing the security posture and improvement within AWS Accounts. 6 | 7 | This solution assumes that Security Hub is enabled in your AWS account. If it isn’t enabled, set up the service so that you can start seeing a comprehensive view of security findings across your AWS accounts. 8 | 9 | ## How the solution works 10 | 1. An EventBridge time-based event invokes a Lambda function for processing. 11 | 2. The Lambda function gets finding results from Security Hub API and writes them into a CSV file. 12 | 3. It uploads them as CSV into Amazon S3 and generates a pre authenticated link. 13 | 4. SNS sends the email notification to the address provided during deployment. 14 | 5. The email includes a link to download the file. 15 | 16 | ## Fields are included in the report 17 | 1. Finding id 18 | 2. ProductArn 19 | 3. ProductName 20 | 4. CompanyName 21 | 5. GeneratorId 22 | 6. SecurityControlId 23 | 7. CreatedAt 24 | 8. UpdatedAt 25 | 9. Confidence 26 | 10. RemediationText 27 | 11. RemediationUrl 28 | 12. SourceUrl 29 | 13. Compliance Status 30 | 14. WorkflowStatus 31 | 15. RecordState 32 | 16. Processed_at 33 | 17. Finding title 34 | 18. Finding description 35 | 19. Severity 36 | 20. Region 37 | 21. AccountId 38 | 22. ResourceType 39 | 23. ResourceId 40 | 24. ResourceName 41 | 25. ResourceTags 42 | 43 | **Note:** That report can be extended with additional field as needed, by modifying the Lambda function. 44 | 45 | ## Deployment Steps 46 | 1. Download the CloudFormation template **security-hub-email-summary-cf-template.json** 47 | 2. On AWS account console, open the service **CloudFormation**. 48 | 3. Click on **Create Stack** with new resources. Select **Template is ready** and then **Upload a template file**. 49 | 4. Using **Choose file**, select the security-hub-full-report-email.json file which you downloaded in step 1. 50 | 5. Click on **Next**. On next page, enter a name for the stack. 51 | 6. On the same page, enter values for the input **parameters**. 52 | 7. Click **Next**. 53 | 8. Accept all defaults in screens that follow and create the stack. Click **Next**. 54 | 9. **Check** I acknowledge that AWS CloudFormation might create IAM resources. Click **Create Stack**. 55 | 56 | ## Test Solution 57 | You can send a test email once the deployment is complete and you have confirmed the SNS subscription email. Navigate to the Lambda console and locate the function Lambda function named SendSecurityHubFullReportEmail. Perform a [manual invocation](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html#get-started-invoke-manually) with any event payload to receive an email shortly. 58 | 59 | ## Security 60 | 61 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 62 | 63 | ## License 64 | 65 | This library is licensed under the MIT-0 License. See the LICENSE file. 66 | 67 | -------------------------------------------------------------------------------- /security-hub-full-report-email.json: -------------------------------------------------------------------------------- 1 | { 2 | "AWSTemplateFormatVersion": "2010-09-09", 3 | "Description": "Security Hub Recurring Full Report. Sends email notifications with the security findings. This template creates Security Hub Full Report Lambda function for delivery, SNS Topic, and needed IAM roles.", 4 | "Metadata": {"License": "Copyright 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. Licensed under MIT-0. This file is distributed on an AS IS BASIS, WITHOUT WARRANTIES"}, 5 | "Parameters": { 6 | "EmailAddress" : { 7 | "Description" : "Email Address for Subscriber to Security Hub Full Report.", 8 | "Type" : "String", 9 | "AllowedPattern" : "^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", 10 | "ConstraintDescription" : "Must be a valid Email Address." 11 | }, 12 | "RecurringScheduleCron": { 13 | "Description": "Cron expression for scheduling the Security Hub Full Report email. Default: Every Monday 8:00 AM GMT. Example: Every Friday 9:00 AM GMT: cron(0 9 ? * 6 *)", 14 | "Default": "cron(0 8 ? * 2 *)", 15 | "Type": "String" 16 | }, 17 | "SecurityHubRegion": { 18 | "Description": "Aggregation region for Security Hub", 19 | "Default": "us-east-1", 20 | "Type": "String" 21 | } 22 | }, 23 | "Resources" : { 24 | "S3BucketName":{ 25 | "Type": "AWS::S3::Bucket", 26 | "DeletionPolicy": "Retain", 27 | "Metadata": { 28 | "cfn_nag":{ 29 | "rules_to_suppress":[ 30 | { 31 | "id": "W35", 32 | "reason": "Can't resolve without creating a depedency with other S3 Bucket" 33 | } 34 | ] 35 | } 36 | }, 37 | "Properties": { 38 | "BucketEncryption": { 39 | "ServerSideEncryptionConfiguration": [ 40 | { 41 | "ServerSideEncryptionByDefault": { 42 | "SSEAlgorithm": "AES256" 43 | } 44 | } 45 | ] 46 | }, 47 | "LifecycleConfiguration":{ 48 | "Rules":[ 49 | { 50 | "Id": "RetentionPolicy", 51 | "Status": "Enabled", 52 | "NoncurrentVersionExpirationInDays": "3650", 53 | "AbortIncompleteMultipartUpload":{ 54 | "DaysAfterInitiation": "3" 55 | } 56 | } 57 | ] 58 | } 59 | } 60 | }, 61 | "SecurityHubFindingsLogBucketPolicy": { 62 | "Type": "AWS::S3::BucketPolicy", 63 | "Properties": { 64 | "Bucket": {"Ref": "S3BucketName"}, 65 | "PolicyDocument": { 66 | "Statement": [ 67 | { 68 | "Sid": "DenyUnEncryptedObjectUploads", 69 | "Effect": "Deny", 70 | "Principal": "*", 71 | "Action": "s3:PutObject", 72 | "Resource": { 73 | "Fn::Join": [ 74 | "", 75 | [ 76 | "arn:aws:s3:::", 77 | { 78 | "Ref": "S3BucketName" 79 | }, 80 | "/*" 81 | ] 82 | ] 83 | }, 84 | "Condition": { 85 | "StringNotEquals": { 86 | "s3:x-amz-server-side-encryption": "AES256" 87 | } 88 | } 89 | }, 90 | { 91 | "Sid": "DenyInsecureRequests", 92 | "Effect": "Deny", 93 | "Principal": "*", 94 | "Action": "s3:*", 95 | "Resource": [ 96 | { 97 | "Fn::Join": [ 98 | "", 99 | [ 100 | "arn:aws:s3:::", 101 | { 102 | "Ref": "S3BucketName" 103 | } 104 | ] 105 | ] 106 | }, 107 | { 108 | "Fn::Join": [ 109 | "", 110 | [ 111 | "arn:aws:s3:::", 112 | { 113 | "Ref": "S3BucketName" 114 | }, 115 | "/*" 116 | ] 117 | ] 118 | } 119 | ], 120 | "Condition": { 121 | "Bool": { 122 | "aws:SecureTransport": "false" 123 | } 124 | } 125 | } 126 | ] 127 | } 128 | } 129 | }, 130 | "SecurityHubRecurringFullReportSNSTopic": { 131 | "Type": "AWS::SNS::Topic", 132 | "Properties": { 133 | "TopicName" : "SecurityHubRecurringFullReport", 134 | "DisplayName" : "Security Hub Full Report", 135 | "KmsMasterKeyId": "alias/aws/sns", 136 | "Subscription" : [{ 137 | "Endpoint" : { "Ref" : "EmailAddress" }, 138 | "Protocol" : "email" 139 | }] 140 | } 141 | }, 142 | "SecurityHubFullReportEmailSchedule": { 143 | "Properties": { 144 | "Name": "SecurityHubFullReportEmailSchedule", 145 | "Description": "Triggers the Recurring Security Hub Full Report email", 146 | "ScheduleExpression": {"Ref": "RecurringScheduleCron"}, 147 | "Targets": [ 148 | { 149 | "Arn": { 150 | "Fn::GetAtt": [ 151 | "SendSecurityHubFullReportEmailLambda", 152 | "Arn" 153 | ] 154 | }, 155 | "Id": "1" 156 | } 157 | ] 158 | }, 159 | "Type": "AWS::Events::Rule" 160 | }, 161 | "CloudWatchSchedulePermission": { 162 | "Properties": { 163 | "Action": "lambda:InvokeFunction", 164 | "FunctionName": { 165 | "Fn::GetAtt": [ 166 | "SendSecurityHubFullReportEmailLambda", 167 | "Arn" 168 | ] 169 | }, 170 | "Principal": "events.amazonaws.com", 171 | "SourceArn": { 172 | "Fn::GetAtt": [ 173 | "SecurityHubFullReportEmailSchedule", 174 | "Arn" 175 | ] 176 | } 177 | }, 178 | "Type": "AWS::Lambda::Permission" 179 | }, 180 | "LambdaExecutionRole": { 181 | "Type": "AWS::IAM::Role", 182 | "Properties": { 183 | "MaxSessionDuration" : "43200", 184 | "AssumeRolePolicyDocument": { 185 | "Version": "2012-10-17", 186 | "Statement": [{ 187 | "Effect": "Allow", 188 | "Principal": {"Service": ["lambda.amazonaws.com"]}, 189 | "Action": ["sts:AssumeRole"] 190 | }] 191 | }, 192 | "Policies": [{ 193 | "PolicyName": "SecurityHubFullReport", 194 | "PolicyDocument": { 195 | "Version": "2012-10-17", 196 | "Statement": [{ 197 | "Effect": "Allow", 198 | "Action": ["logs:CreateLogGroup", 199 | "logs:CreateLogStream", 200 | "logs:PutLogEvents"], 201 | "Resource": "arn:aws:logs:*:*:*" 202 | }, 203 | { 204 | "Effect": "Allow", 205 | "Action": ["securityhub:Get*","securityhub:List*"], 206 | "Resource": { "Fn::Sub" : "arn:*:securityhub:*:${AWS::AccountId}:hub/default" } 207 | }, 208 | { 209 | "Effect": "Allow", 210 | "Action": "sns:Publish", 211 | "Resource": {"Ref": "SecurityHubRecurringFullReportSNSTopic"} 212 | }, 213 | { 214 | "Effect": "Allow", 215 | "Action": ["s3:PutObject", 216 | "s3:GetObject", 217 | "s3:PutObjectAcl"], 218 | "Resource": {"Fn::Join": [ "",[ "arn:aws:s3:::",{"Ref": "S3BucketName"},"/*"]]} 219 | } 220 | ] 221 | } 222 | }] 223 | } 224 | }, 225 | "SendSecurityHubFullReportEmailLambda": { 226 | "Type": "AWS::Lambda::Function", 227 | "Metadata": { 228 | "cfn_nag":{ 229 | "rules_to_suppress":[ 230 | { 231 | "id": "W89", 232 | "reason": "Traffic between Lambda and S3 is encrypted." 233 | } 234 | ] 235 | } 236 | }, 237 | "Properties": { 238 | "Code": { 239 | "ZipFile": { 240 | "Fn::Join": [ 241 | "\n", 242 | [ 243 | "import boto3, json, os", 244 | "from datetime import datetime", 245 | "region = os.environ['region']", 246 | "bucket = os.environ['bucket']", 247 | "snsTopicArn = os.environ['SNSTopic']", 248 | "csv = ';'", 249 | "filename = 'findings.csv'", 250 | "utcDate = datetime.utcnow().strftime('%Y%m%d')", 251 | "s3Path = utcDate + '/'", 252 | "fullpath = '/tmp/' + filename", 253 | " ", 254 | "def get_securityhub_findings(region):", 255 | " print('get_securityhub_findings STARTED')", 256 | " client = boto3.client('securityhub', region_name=region)", 257 | " paginator = client.get_paginator('get_findings')", 258 | " findings=[]", 259 | " page_iterator = paginator.paginate(", 260 | " Filters={", 261 | " 'WorkflowStatus': [", 262 | " {", 263 | " 'Comparison':'EQUALS',", 264 | " 'Value': 'NEW'", 265 | " }", 266 | " ],", 267 | " 'RecordState': [", 268 | " {", 269 | " 'Comparison':'EQUALS',", 270 | " 'Value': 'ACTIVE'", 271 | " }", 272 | " ]", 273 | " },", 274 | " SortCriteria=[", 275 | " {", 276 | " 'Field': 'Id',", 277 | " 'SortOrder': 'asc'", 278 | " },", 279 | " ],", 280 | " MaxResults=10", 281 | " )", 282 | " return page_iterator", 283 | " ", 284 | "def get_securityhub_findings2csv(region):", 285 | " findings_pages = get_securityhub_findings(region)", 286 | " findings_csv = ''", 287 | " lines = 0", 288 | " #print('get_securityhub_findings2csv STARTED')", 289 | " #Adds Findings Title", 290 | " findings_csv = f'Id{csv}ProductArn{csv}ProductName{csv}CompanyName{csv}GeneratorId{csv}SecurityControlId{csv}CreatedAt{csv}UpdatedAt{csv}Confidence{csv}Remediation{csv}Remediation_URL{csv}SourceUrl{csv}Compliance{csv}WorkflowStatus{csv}RecordState{csv}ProcessedAt{csv}Title{csv}severity{csv}Region{csv}Account_id{csv}Description{csv}Resource_type{csv}Resource_id{csv}Resource_name{csv}Resource_tags' + os.linesep", 291 | " #Adds Findings Details", 292 | " for page in findings_pages:", 293 | " for finding in page['Findings']:", 294 | " finding_id = finding.get('Id','')", 295 | " finding_ProductArn = finding.get('ProductArn','')", 296 | " finding_ProductName = finding.get('ProductName','')", 297 | " finding_CompanyName = finding.get('CompanyName','')", 298 | " finding_GeneratorId = finding.get('GeneratorId','')", 299 | " finding_SecurityControlId = finding.get('Compliance',{}).get('SecurityControlId','')", 300 | " finding_CreatedAt = finding.get('CreatedAt','')", 301 | " finding_UpdatedAt = finding.get('UpdatedAt','')", 302 | " finding_Confidence = finding.get('Confidence','')", 303 | " finding_RemText = finding.get('Remediation',{}).get('Recommendation',{}).get('Text','')", 304 | " finding_RemUrl = finding.get('Remediation',{}).get('Recommendation',{}).get('Url','')", 305 | " finding_SourceUrl = finding.get('SourceUrl','')", 306 | " finding_Compliance = finding.get('Compliance',{}).get('Status','')", 307 | " finding_WorkflowStatus = finding.get('Workflow',{}).get('Status','')", 308 | " finding_RecordState = finding.get('RecordState','')", 309 | " finding_Processed_at = finding.get('ProcessedAt','')", 310 | " finding_title = finding.get('Title','')", 311 | " finding_severity = finding.get('Severity',{}).get('Label','')", 312 | " finding_region = finding.get('Region','')", 313 | " finding_account_id = finding.get('AwsAccountId','')", 314 | " finding_description = finding.get('Description','').replace(';','.')", 315 | " finding_description = ''.join(finding_description.splitlines())", 316 | " finding_resource_type = finding.get('Resources',{})[0].get('Type','')", 317 | " finding_resource_id = finding.get('Resources',{})[0].get('Id','')", 318 | " finding_resource_name = finding.get('Resources',{})[0].get('Tags',{}).get('Name','')", 319 | " finding_resource_tags = finding.get('Resources',{})[0].get('Tags','')", 320 | " finding_csv = f'{finding_id}{csv}{finding_ProductArn}{csv}{finding_ProductName}{csv}{finding_CompanyName}{csv}{finding_GeneratorId}{csv}{finding_SecurityControlId}{csv}{finding_CreatedAt}{csv}{finding_UpdatedAt}{csv}{finding_Confidence}{csv}{finding_RemText}{csv}{finding_RemUrl}{csv}{finding_SourceUrl}{csv}{finding_Compliance}{csv}{finding_WorkflowStatus}{csv}{finding_RecordState}{csv}{finding_Processed_at}{csv}{finding_title}{csv}{finding_severity}{csv}{finding_region}{csv}{finding_account_id}{csv}{finding_description}{csv}{finding_resource_type}{csv}{finding_resource_id}{csv}{finding_resource_name}{csv}{finding_resource_tags}'+ os.linesep", 321 | " findings_csv += finding_csv", 322 | " lines = lines + 1", 323 | " print('lines:' + str(lines))", 324 | " return findings_csv", 325 | " ", 326 | "def copy_file_to_s3(region, bucket_name, filename):", 327 | " s3 = boto3.client('s3', region_name=region)", 328 | " tc = boto3.s3.transfer.S3Transfer(client=s3)", 329 | " tc.upload_file(fullpath, bucket_name, s3Path + filename,extra_args={'ServerSideEncryption':'AES256'})", 330 | " os.remove(fullpath)", 331 | " ", 332 | "def collection_to_csv(col, filename):", 333 | " with open(filename, 'w') as f:", 334 | " f.write(col)", 335 | " ", 336 | "def create_s3_preauth_url(region, bucket_name, file_name):", 337 | " s3 = boto3.client('s3', region_name=region)", 338 | " presigned_url = s3.generate_presigned_url('get_object', Params={'Bucket': bucket_name, 'Key': s3Path + file_name}, ExpiresIn=86400)", 339 | " print(presigned_url)", 340 | " return presigned_url", 341 | " ", 342 | "def send_sns(url):", 343 | " snsBody = 'Download AWS Security Hub Findings full report: '", 344 | " snsBody += url", 345 | " sns_client = boto3.client('sns')", 346 | " response = sns_client.publish(TopicArn=snsTopicArn, Message=snsBody)", 347 | " ", 348 | "def lambda_handler(event, context):", 349 | " csv = get_securityhub_findings2csv (region)", 350 | " collection_to_csv(csv,fullpath)", 351 | " copy_file_to_s3 (region,bucket,filename)", 352 | " url=create_s3_preauth_url(region, bucket, filename)", 353 | " send_sns(url)", 354 | " return {", 355 | " 'statusCode': 200,", 356 | " 'body': json.dumps('Report: ' + url)", 357 | " }" 358 | ] 359 | ] 360 | } 361 | }, 362 | "FunctionName":"SendSecurityHubFullReportEmail", 363 | "Handler":"index.lambda_handler", 364 | "Runtime": "python3.11", 365 | "Timeout": "900", 366 | "ReservedConcurrentExecutions": 2, 367 | "Architectures": ["arm64"], 368 | "Tags":[], 369 | "Environment": { 370 | "Variables" : { 371 | "SNSTopic": {"Ref": "SecurityHubRecurringFullReportSNSTopic"}, 372 | "bucket": {"Ref": "S3BucketName"}, 373 | "region": {"Ref": "SecurityHubRegion"} 374 | } 375 | }, 376 | "Role": { 377 | "Fn::GetAtt": [ 378 | "LambdaExecutionRole", 379 | "Arn" 380 | ] 381 | } 382 | } 383 | } 384 | } 385 | } 386 | --------------------------------------------------------------------------------