# Module 3 - Security Hub Custom Actions - Human initiated automation Custom Actions in Security Hub are useful for analysts working with the Security Hub console who want to send a specific finding, or a small set of findings, to a response or remediation workflow. The finding generated by the test in the first module will be used within this module to explore Custom Actions. 1. Run the following: ${CLOUDCUSTODIANDOCKERCMD} aws-securityhub-automated-remediations-workshop/module3/ec2-sechub-custom-actions.yml 2. You should see lines of output line like the following: 2020-01-20 00:23:17,388: custodian.policy:INFO Provisioning policy lambda DenySnapStop 2020-01-20 00:23:17,567: custodian.serverless:INFO Publishing custodian policy lambda function custodian-DenySnapStop 2020-01-20 00:23:18,728: custodian.policy:INFO Provisioning policy lambda DisableKey 2020-01-20 00:23:18,878: custodian.serverless:INFO Publishing custodian policy lambda function custodian-DisableKey 2020-01-20 00:23:19,816: custodian.policy:INFO Provisioning policy lambda Delete 2020-01-20 00:23:19,951: custodian.serverless:INFO Publishing custodian policy lambda function custodian-Delete 2020-01-20 00:23:20,876: custodian.policy:INFO Provisioning policy lambda PostOpsItem 2020-01-20 00:23:22,118: custodian.serverless:INFO Publishing custodian policy lambda function custodian-PostOpsItem 2020-01-20 00:23:23,660: custodian.policy:INFO Provisioning policy lambda RemPA 2020-01-20 00:23:23,795: custodian.serverless:INFO Publishing custodian policy lambda function custodian-RemPA 3. Note that the string after 'Provisioning policy lambda" matches the policy names contained within the ec2-sechub-custom-actions.yml file from the last docker command. The names of the generated lambdas will be composed of that policy names prefixed with "custodian-". Cloudwatch logs are generated following standard naming convention, /aws/lamabda/custodian-$(PolicyName) 4. Within the Management Console, navigate to the Security Hub service. 5. In the left hand navigation area, click on Findings. 6. You should see a row where the value of the Title column is "ec2-force-vulnerabilities", if not then in the Findings search box, type Title, under the pop-up Filters click on Title, then in the new popup, enter "ec2-force-vulnerabilities" then click Apply. 7. Click the checkbox (left hand side) for the finding. 8. In the upper right, click "Actions" then in the popup click on "Ec2 DenySnapStop" 9. You should observe a green notification at top of page saying "Successfully sent findings to Amazon CloudwatchEvents". I've submitted a request to include the action name in that message. 10. Review the Cloudwatch log of the Lambda which got invoked. Log Group names are composed of the prefix "/aws/lambda/custodian-" followed by the policy name, so in this case "/aws/lambda/custodian-DenySnapStop". Within that log group, open the most recent Log stream. Lines with "ERROR" indicate something is wrong, please let the event facilitor know if you see an ERROR. You should see at least a line containing "invoking action:" for each action in the policy. 11. Optional: Review the complete payload of the Cloudwatch event which is logged directly after a line (usually line #2) ending with the text "Processing event". 12. Optional, you can use the AWS Console and/or cli to confirm that the instance named "RemediationTestTarget" has really be stopped, snapshotted, and the IAM Instance Profile dissassociated. 13. Now run the following command to reassociate the InstanceProfile as it's needed for the next module. aws ec2 associate-iam-instance-profile --iam-instance-profile Name=SecurityHubRemediationWorkshopTestTarget --instance-id $(aws ec2 describe-instances --filters Name=tag:Name,Values=RemediationTestTarget --query Reservations[*].Instances[*].[InstanceId] --output text) If you get an error, the most likely reason is that the instance is still in the stopping state, wait 5-10 seconds then retry 14. Now run the following command to start the instance so the instance is ready for the next module. aws ec2 start-instances --instance-ids $(aws ec2 describe-instances --filters Name=tag:Name,Values=RemediationTestTarget Name=instance-state-name,Values=stopped --query Reservations[*].Instances[*].[InstanceId] --output text) 15. You have completed this module, please proceed to the next module.