AWS Security Hub and EventBridge Configuration
Depending on the add account method you choose in FortiCNP, follow the guideline and configuration steps below respectively.
Please use a recommended AWS region to activate Amazon Inspector, Amazon Guard Duty, and AWS Security Hub to avoid extra cross region cost:
- For users located in Global or US (United States), please use us-west-2 region.
- For users located in EU (European Union), please use eu-west-1 region.
|Add Account Method||AWS Security Hub Configuration Guideline|
|Automatically Add 1 Account||Go to a recommended AWS region, enable Amazon Inspector, GuardDuty, AWS Security Hub, and configure region aggregation for the AWS account that is being added.|
|Add 1 Account Manually||Go to a recommended AWS region, enable Amazon Inspector, GuardDuty, AWS Security Hub, and configure region aggregation for the AWS account that is being added.|
|Add AWS Organization||
|Add Multiple via CloudFormation||
- Both Amazon GuardDuty and Amazon Inspector need to be enabled in the same region to generate security events, and then AWS Security Hub can be enabled to collect these security events respectively.
- The FortiCNP's AWS EventBus is located in the region us-west-2(Global or US) or eu-west-1(EU), and its is recommended to enable Amazon Inspector, Amazon GuardDuty, and AWS Security hub in these regions to avoid extra cross region cost.
Step 1 - Enable Amazon Inspector
- After logging into your Amazon account, click on the top right region selector and select us-west-2(Global or US) or eu-west-1(EU).
- In Search field, search and go to "Inspector"
- Click Get Started in the Amazon Inspector Welcome page.
- Click Enable Inspector to enable Amazon Inspector
Step 2 - Enable Amazon GuardDuty
- In the same region, search and go to "GuardDuty".
- Click Get Started in the Amazon GuardDuty Welcome page.
- Click Enable GuardDuty to enable Amazon GuardDuty.
Step 3 - Enable AWS Security Hub and Configure Region Aggregation
- In the same region, search and go to "Security Hub".
- Click Enable Security Hub to enable AWS Security Hub.
- Click on Settings and go to Regions tab.
- Click Edit to configure Aggregation Region.
- Select US-west-2 for Global(US) or eu-west-1 for EU as the region of aggregation, and select all regions below.
- Scroll down and click Link future Regions, and click Save.
Step 4 - Setup Event Rule and Event Bus through AWS CloudFormation
Now the AWS account Security Hub configuration is completed, the AWS Events Bus and Events Rule need to be configured through AWS CloudFormation guide, so that the Security Hub can send security findings to AWS Events Bus under the FortiCNP's AWS EventBridge.
The AWS CloudFormation guide will process this JSON files in establishing the AWS Event Bus and Event Rule between the onboarding AWS account and FortiCNP.
- Go back to the Add AWS Account - Configure Security Hub Integration page.
- Select the Aggregation Account for Security Hub Findings if you are adding an AWS organization account..
- Select us-west-2 for the Aggregation Region in Security Hub for Global (U.S) users or eu-West-1 for European Union users. Then click Next Step.
- Click Go To AWS CloudFormation Guide for Security Hub Integration with CloudFormation.
- A new page will pop up with AWS CloudFormation Guide, click Next at the bottom of each page until the last page, and click Create Stack.
- Refresh the stack status page until the "FortiCNPSecurityHubIntegration" stack status shows "CREATE_COMPLETE".
- Note: If the "FortiCNPSecurityHubIntegration" stack received error and cannot be created, please see Stack Already Exists Error.
- Go back to FortiCNP add account page, and click Next Step
- The add account steps are completed, click Check Status to see the add account progress.
(For instructions before this page, please refer to Add AWS Account Automatically or Add AWS Organization)