AWSTemplateFormatVersion: 2010-09-09 Description: This CloudFormation template will automate the importing of aws config findings into aws security hub Parameters: LambdaSourceBucket: Description: S3 Bucket of the Lambda code Default: bucket-with-lambda-code Type: String LambdaSourceKey: Description: Lambda file name in the S3 Bucket Default: config-cwe-sh.zip Type: String Resources: LambdaServiceRole: Type: 'AWS::IAM::Role' Properties: RoleName: 'config-sechub-lambda-role' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Policies: - PolicyName: lambda-service-policy PolicyDocument: Statement: - Effect: Allow Action: - 'securityhub:BatchImportFindings' Resource: - '*' - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: '*' - Effect: Allow Action: - 'config:DescribeConfigRules' Resource: '*' ConfigSecHubFunction: Type: AWS::Lambda::Function Properties: Code: S3Bucket: !Ref LambdaSourceBucket S3Key: !Ref LambdaSourceKey FunctionName : 'Config-SecHub-Lambda' Handler: 'lambda_function.lambda_handler' Role: Fn::GetAtt: - LambdaServiceRole - Arn Runtime: python3.8 Timeout: 300 ConfigSecHubCWRule: Type: AWS::Events::Rule Properties: Description: This CW rule integrates AWS Config Compliance events with AWS Lambda as a target Name: 'Config-Sechub-CW-Rule' EventPattern: source: - aws.config detail-type: - Config Rules Compliance Change detail: configRuleName: - anything-but: prefix: securityhub- messageType: - ComplianceChangeNotification State: ENABLED Targets: - Arn: Fn::GetAtt: - 'ConfigSecHubFunction' - 'Arn' Id: 'TargetFunctionV1' PermissionForEventsToInvokeLambda: Type: AWS::Lambda::Permission Properties: FunctionName: Ref: 'ConfigSecHubFunction' Action: 'lambda:InvokeFunction' Principal: 'events.amazonaws.com' SourceArn: Fn::GetAtt: - 'ConfigSecHubCWRule' - 'Arn'