Zero-Touch Cloud Security: Automating Threat Detection & Remediation with Wiz, AWS Security Hub, and GitHub Actions

akhil mittal - Oct 18 - - Dev Community

Leveraging Wiz, AWS Security Hub, and GitHub Actions for Cloud Security Remediation

As cloud engineers, ensuring security across cloud infrastructure is paramount. We integrated Wiz, an infrastructure scanning tool, with AWS Security Hub to monitor and remediate security vulnerabilities. By further integrating GitHub Actions and AWS Lambda, we streamlined security issue detection and automated remediation. Here's how we achieved this:


Step 1: Wiz Integration with AWS Security Hub

Wiz provides comprehensive cloud security scanning. It identifies vulnerabilities and compliance issues across AWS resources. After running scans, we integrated Wiz with AWS Security Hub to centralize security findings in a single dashboard. AWS Security Hub aggregates security alerts, allowing us to monitor security statuses across multiple AWS services.

Configuration:

  1. Enable AWS Security Hub in your AWS account.
  2. Configure Wiz to export its findings to AWS Security Hub:
    • Use Wiz’s integration options to configure API keys and set the desired AWS account for integration.
    • Once connected, findings from Wiz are automatically sent to Security Hub, populating it with detailed reports on potential vulnerabilities.

Step 2: Automating Security Findings with GitHub Actions

Next, we leveraged GitHub Actions to automate the process of creating issues in GitHub repositories based on findings from AWS Security Hub. This helps the team track and resolve issues using their existing workflows.

Workflow:

  1. AWS Security Hub API: We configured GitHub Actions to periodically poll Security Hub’s findings using AWS CLI or SDK calls.
  2. Issue Generation:
    • Findings from Security Hub (e.g., open S3 buckets, weak IAM permissions) are fetched and formatted.
    • GitHub Actions automatically creates GitHub issues based on these findings using GitHub’s REST API.

Example GitHub Actions Workflow:

name: Create Security Issues

on:
  schedule:
    - cron: '0 0 * * *'  # Run daily

jobs:
  create-issues:
    runs-on: ubuntu-latest
    steps:
    - name: Set up AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1

    - name: Fetch Security Hub Findings
      id: fetch-findings
      run: |
        aws securityhub get-findings --query 'Findings[*].{Id:Id,Title:Title,Description:Description,Severity:Severity.Label}' > findings.json

    - name: Create GitHub Issues
      run: |
        findings=$(cat findings.json)
        for finding in $(echo "${findings}" | jq -c '.[]'); do
          title=$(echo "${finding}" | jq -r '.Title')
          body=$(echo "${finding}" | jq -r '.Description')
          gh issue create --title "$title" --body "$body"
        done
Enter fullscreen mode Exit fullscreen mode

Step 3: AWS Lambda for Automated Remediation

After identifying issues via GitHub, we integrated AWS Lambda to automate the remediation of specific security vulnerabilities.

Use Case:

For example, when AWS Security Hub identifies an open S3 bucket, we trigger a Lambda function via SNS or EventBridge that automatically updates the bucket policy to make it private.

AWS Lambda Steps:

  1. Define Lambda Function:
    The function receives an event from Security Hub, inspects the finding, and then remediates the issue (e.g., closing public access to an S3 bucket).

  2. Deploy and Link with AWS Security Hub:
    Use EventBridge to trigger the Lambda function when Security Hub detects specific types of findings (e.g., S3 public access).

Example Lambda Function for S3 Remediation:

import boto3

def lambda_handler(event, context):
    s3 = boto3.client('s3')

    # Extract S3 bucket info from the event
    for record in event['Records']:
        bucket_name = record['detail']['resource']['details']['awsS3Bucket']['name']

        # Block public access to the bucket
        s3.put_bucket_policy(
            Bucket=bucket_name,
            Policy={
                'Version': '2012-10-17',
                'Statement': [{
                    'Effect': 'Deny',
                    'Principal': '*',
                    'Action': 's3:GetObject',
                    'Resource': f'arn:aws:s3:::{bucket_name}/*'
                }]
            }
        )
    return "Remediation complete"
Enter fullscreen mode Exit fullscreen mode

Step 4: Closing the Issue Post-Remediation

Once the AWS Lambda function successfully remediates the issue, the workflow updates the status of the corresponding GitHub issue as Closed, indicating that the vulnerability has been fixed.

GitHub Actions Workflow for Closing Issues:

  1. Poll for updates on remediation status using AWS CloudWatch or Lambda logs.
  2. Once confirmed, use the GitHub REST API to close the related issue.
- name: Close GitHub Issue
  run: |
    gh issue close ${{ steps.find_issue.outputs.issue_number }} --comment "Issue remediated successfully"
Enter fullscreen mode Exit fullscreen mode

Summary Workflow:

  1. Wiz scans and sends findings to AWS Security Hub.
  2. GitHub Actions pulls findings from Security Hub and automatically creates GitHub issues for tracking.
  3. AWS Lambda is triggered by EventBridge when critical findings are detected and remediates them (e.g., securing open S3 buckets).
  4. Once remediation is complete, GitHub Actions or Lambda automatically closes the corresponding GitHub issue, notifying the team.

Benefits:

  • Fully Automated: No human intervention required to detect, log, remediate, and track issues.
  • Fast Response: Findings are quickly remediated with minimal downtime or risk exposure.
  • Integrated Workflow: GitHub issues provide a centralized place for tracking and visibility, while AWS Lambda handles remediation.

This solution ensures security vulnerabilities are handled efficiently, automating both detection and remediation processes in a seamless manner.

Conclusion

This end-to-end workflow integrates Wiz, AWS Security Hub, GitHub Actions, and AWS Lambda to automate the detection, tracking, and remediation of security vulnerabilities in your AWS environment. By integrating infrastructure scanning tools like Wiz and leveraging automation, we enhance security practices, reduce manual intervention, and streamline remediation, providing a scalable approach to cloud security.

To fully automate the process of security detection and remediation using Wiz, AWS Security Hub, GitHub Actions, and AWS Lambda, follow these advanced steps:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .