Interesting read

Security Hub custom providers

• https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-custom-providers.html

Security Hub finding updates

Security Hub findings can be updated. However, there are some limitations on which attributes can be updated and one should be aware of them. The list can be found here.

Findings discovered while working with Security Hub

CreatedAt and UpdatedAt ISO 8601 check

Security Hub schema states that CreatedAt, UpdatedAt and similar fields should follow date-time from RFC 3339. However, the schema defines this type as non-empty string. Secuity Hub API returned the following regular expression:

(\\d\\d\\d\\d)-[0-1](\\d)-[0-3](\\d)[Tt](?:[0-2](\\d):[0-5](\\d):[0-5](\\d)|23:59:60)(?:\\.(\\d)+)?(?:[Zz]|[+-](\\d\\d)(?::?(\\d\\d))?)$

Resources in AwsSecurityFinding cannot be an empty list

Security Hub schema does not seem to mention anything about requiring at least one resouce in Resources. Sample error response:

{
    "FailedCount": 1,
    "FailedFindings": [
        {
            "ErrorCode": "InvalidInput",
            "ErrorMessage": "Finding does not adhere to Amazon Finding Format. data.Resources should NOT have fewer than 1 items.",
            "Id": "69b19573-f60c-45f4-bad7-cc39c98dad92"
        }
    ],
    "ResponseMetadata": {
        "HTTPHeaders": {
            "connection": "keep-alive",
            "content-length": "244",
            "content-type": "application/json",
            "date": "Tue, 22 Dec 2020 18:55:23 GMT",
            "x-amz-apigw-id": "X98cTGGnDoEFbEg=",
            "x-amzn-requestid": "20359099-5dbd-4652-ac0c-ed2aa031a224",
            "x-amzn-trace-id": "Root=1-5fe2411b-7f834d21130461413669ff32"
        },
        "HTTPStatusCode": 200,
        "RequestId": "20359099-5dbd-4652-ac0c-ed2aa031a224",
        "RetryAttempts": 0
    },
    "SuccessCount": 0
}

It seems that the sensible default is AwsAccount.