Fortinet black logo

Online Help

AWS Security Hub and EventBridge Configuration

Copy Link
Copy Doc ID cf00dcb1-0886-11ed-bb32-fa163e15d75b:467775

AWS Security Hub and EventBridge Configuration

Depending on the add account method you choose in FortiCNP, follow the guideline and configuration steps below respectively.

Please use a recommended AWS region to activate Amazon Inspector, Amazon Guard Duty, and AWS Security Hub to avoid extra cross region cost:

  • For users located in Global or US (United States), please use us-west-2 region.
  • For users located in EU (European Union), please use eu-west-1 region.
Add Account Method AWS Security Hub Configuration Guideline
Automatically Add 1 Account Go to a recommended AWS region, enable Amazon Inspector, GuardDuty, AWS Security Hub, and configure region aggregation for the AWS account that is being added.
Add 1 Account Manually Go to a recommended AWS region, enable Amazon Inspector, GuardDuty, AWS Security Hub, and configure region aggregation for the AWS account that is being added.
Add AWS Organization
  1. For all accounts under the same organization to be added, enable Amazon GuardDuty, Inspector, and AWS Security Hub in the same recommended region. The purpose is so that the findings can be shared between sub accounts and the designated account configured for eventbus.
  2. Choose one account to be the aggregation account where it will receive security findings from other accounts and configure aggregation in Security Hub.
Add Multiple via CloudFormation
  1. For all accounts to be added, go to a recommended region, enable Amazon Inspector, GuardDuty, AWS Security Hub, and configure region aggregation.
  2. Follow the guide in Create AWS StackSet for Security Hub Integration to create AWS StackSet for multiple AWS accounts.

Requirements

  1. Both Amazon GuardDuty and Amazon Inspector need to be enabled in the same region to generate security events, and then AWS Security Hub can be enabled to collect these security events respectively.
  2. The FortiCNP's AWS EventBus is located in the region us-west-2(Global or US) or eu-west-1(EU), and its is recommended to enable Amazon Inspector, Amazon GuardDuty, and AWS Security hub in these regions to avoid extra cross region cost.

Step 1 - Enable Amazon Inspector

  1. After logging into your Amazon account, click on the top right region selector and select us-west-2(Global or US) or eu-west-1(EU).
  2. In Search field, search and go to "Inspector"
  3. Click Get Started in the Amazon Inspector Welcome page.
  4. Click Enable Inspector to enable Amazon Inspector

Step 2 - Enable Amazon GuardDuty

  1. In the same region, search and go to "GuardDuty".
  2. Click Get Started in the Amazon GuardDuty Welcome page.
  3. Click Enable GuardDuty to enable Amazon GuardDuty.

Step 3 - Enable AWS Security Hub and Configure Region Aggregation

  1. In the same region, search and go to "Security Hub".
  2. Click Enable Security Hub to enable AWS Security Hub.
  3. Click on Settings and go to Regions tab.
  4. Click Edit to configure Aggregation Region.
  5. Select US-west-2 for Global(US) or eu-west-1 for EU as the region of aggregation, and select all regions below.
  6. Scroll down and click Link future Regions, and click Save.

Step 4 - Setup Event Rule and Event Bus through AWS CloudFormation

Now the AWS account Security Hub configuration is completed, the AWS Events Bus and Events Rule need to be configured through AWS CloudFormation guide, so that the Security Hub can send security findings to AWS Events Bus under the FortiCNP's AWS EventBridge.

The AWS CloudFormation guide will process this JSON files in establishing the AWS Event Bus and Event Rule between the onboarding AWS account and FortiCNP.

  1. Go back to the Add AWS Account - Configure Security Hub Integration page.
  2. (For instructions before this page, please refer to Add AWS Account Automatically or Add AWS Organization)

  3. Select the Aggregation Account for Security Hub Findings if you are adding an AWS organization account..
  4. Select us-west-2 for the Aggregation Region in Security Hub for Global (U.S) users or eu-West-1 for European Union users. Then click Next Step.
  5. Click Go To AWS CloudFormation Guide for Security Hub Integration with CloudFormation.
  6. A new page will pop up with AWS CloudFormation Guide, click Next at the bottom of each page until the last page, and click Create Stack.
  7. Refresh the stack status page until the "FortiCNPSecurityHubIntegration" stack status shows "CREATE_COMPLETE".
  8. Note: If the "FortiCNPSecurityHubIntegration" stack received error and cannot be created, please see Stack Already Exists Error.
  9. Go back to FortiCNP add account page, and click Next Step
  10. The add account steps are completed, click Check Status to see the add account progress.

AWS Security Hub and EventBridge Configuration

Depending on the add account method you choose in FortiCNP, follow the guideline and configuration steps below respectively.

Please use a recommended AWS region to activate Amazon Inspector, Amazon Guard Duty, and AWS Security Hub to avoid extra cross region cost:

  • For users located in Global or US (United States), please use us-west-2 region.
  • For users located in EU (European Union), please use eu-west-1 region.
Add Account Method AWS Security Hub Configuration Guideline
Automatically Add 1 Account Go to a recommended AWS region, enable Amazon Inspector, GuardDuty, AWS Security Hub, and configure region aggregation for the AWS account that is being added.
Add 1 Account Manually Go to a recommended AWS region, enable Amazon Inspector, GuardDuty, AWS Security Hub, and configure region aggregation for the AWS account that is being added.
Add AWS Organization
  1. For all accounts under the same organization to be added, enable Amazon GuardDuty, Inspector, and AWS Security Hub in the same recommended region. The purpose is so that the findings can be shared between sub accounts and the designated account configured for eventbus.
  2. Choose one account to be the aggregation account where it will receive security findings from other accounts and configure aggregation in Security Hub.
Add Multiple via CloudFormation
  1. For all accounts to be added, go to a recommended region, enable Amazon Inspector, GuardDuty, AWS Security Hub, and configure region aggregation.
  2. Follow the guide in Create AWS StackSet for Security Hub Integration to create AWS StackSet for multiple AWS accounts.

Requirements

  1. Both Amazon GuardDuty and Amazon Inspector need to be enabled in the same region to generate security events, and then AWS Security Hub can be enabled to collect these security events respectively.
  2. The FortiCNP's AWS EventBus is located in the region us-west-2(Global or US) or eu-west-1(EU), and its is recommended to enable Amazon Inspector, Amazon GuardDuty, and AWS Security hub in these regions to avoid extra cross region cost.

Step 1 - Enable Amazon Inspector

  1. After logging into your Amazon account, click on the top right region selector and select us-west-2(Global or US) or eu-west-1(EU).
  2. In Search field, search and go to "Inspector"
  3. Click Get Started in the Amazon Inspector Welcome page.
  4. Click Enable Inspector to enable Amazon Inspector

Step 2 - Enable Amazon GuardDuty

  1. In the same region, search and go to "GuardDuty".
  2. Click Get Started in the Amazon GuardDuty Welcome page.
  3. Click Enable GuardDuty to enable Amazon GuardDuty.

Step 3 - Enable AWS Security Hub and Configure Region Aggregation

  1. In the same region, search and go to "Security Hub".
  2. Click Enable Security Hub to enable AWS Security Hub.
  3. Click on Settings and go to Regions tab.
  4. Click Edit to configure Aggregation Region.
  5. Select US-west-2 for Global(US) or eu-west-1 for EU as the region of aggregation, and select all regions below.
  6. Scroll down and click Link future Regions, and click Save.

Step 4 - Setup Event Rule and Event Bus through AWS CloudFormation

Now the AWS account Security Hub configuration is completed, the AWS Events Bus and Events Rule need to be configured through AWS CloudFormation guide, so that the Security Hub can send security findings to AWS Events Bus under the FortiCNP's AWS EventBridge.

The AWS CloudFormation guide will process this JSON files in establishing the AWS Event Bus and Event Rule between the onboarding AWS account and FortiCNP.

  1. Go back to the Add AWS Account - Configure Security Hub Integration page.
  2. (For instructions before this page, please refer to Add AWS Account Automatically or Add AWS Organization)

  3. Select the Aggregation Account for Security Hub Findings if you are adding an AWS organization account..
  4. Select us-west-2 for the Aggregation Region in Security Hub for Global (U.S) users or eu-West-1 for European Union users. Then click Next Step.
  5. Click Go To AWS CloudFormation Guide for Security Hub Integration with CloudFormation.
  6. A new page will pop up with AWS CloudFormation Guide, click Next at the bottom of each page until the last page, and click Create Stack.
  7. Refresh the stack status page until the "FortiCNPSecurityHubIntegration" stack status shows "CREATE_COMPLETE".
  8. Note: If the "FortiCNPSecurityHubIntegration" stack received error and cannot be created, please see Stack Already Exists Error.
  9. Go back to FortiCNP add account page, and click Next Step
  10. The add account steps are completed, click Check Status to see the add account progress.