Amazon Security Hub
Amazon Web Services- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
Integrates with AWS Security Hub to retrieve aggregated
security findings across the configured AWS accounts and regions. Security Hub consolidates
findings from AWS services (GuardDuty, Inspector, Macie, IAM Access Analyzer, security standards
controls, etc.) and partner products into a normalized format. The connector reads those findings
via the Security Hub GetFindings API and emits one Brinqa object per (resource, finding) pair,
so a single finding that references multiple resources produces one object per resource.
Data retrieved from Amazon Security Hub
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Finding | Yes | Finding |
For detailed steps on how to view the data retrieved from Amazon Security Hub in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Amazon Security Hub from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Access key ID | No | — | AWS user access key ID, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Secret access key | No | — | AWS user secret access key, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Default region | No | — | Default AWS region, if not specified, the connector consults the default region provider chain to try and determine the region to use. |
| Assume role | No | — | Amazon Resource Name for the role to assume. |
| Session duration | No | 900 | Assume role session duration in seconds. |
| Page size | No | — | The maximum number of results to retrieve per operation. |
Authentication
Authentication is shared across the AWS connector bundle via the AwsConfiguration base class.
The Security Hub sub-connector uses the AWS SDK for Java v2 SecurityHubClient, which signs every
request with AWS SigV4 using credentials resolved through the following chain (in order):
- STS AssumeRole — if
assumeRoleARNis configured, the connector assumes that role (using the credentials below as the principal) and uses the resulting temporary session credentials. - Static access keys — if
accessKey/secretKeyare configured, they are used directly. - Default credentials provider chain — environment variables,
~/.aws/credentials, container role, or EC2 instance metadata.
Assumed-role sessions use the configurable sessionDuration (default 900 s) with a unique session
name per sync. A SecurityHubClient is constructed per role per region; each client is closed when
its region has been fully synced.
Required AWS API permissions
| Permission | Purpose |
|---|---|
securityhub:GetFindings | List and page through security findings |
sts:AssumeRole | Only when assumeRoleARN is set |
Sync Behavior
The connector supports incremental sync. When a prior sync timestamp is available, it passes a
since (Instant) value, computes the whole number of days between since and now, and — if that
value is greater than zero — applies a lastObservedAt DateFilter (DateRange in DAYS) so only
findings observed within that trailing window are returned. If since is null or the interval
rounds down to zero days, no date filter is applied and every matching finding is returned (a full
sync). The default ComplianceStatus = FAILED and RecordState = ACTIVE filters apply in both
cases.
How to obtain Amazon Security Hub credentials
Obtain the required credentials from your Amazon Security Hub administrator or the Amazon Security Hub admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Finding
| Source Field Name | SDM Attribute |
|---|---|
AwsSecurityFinding.awsAccountId | AWS account ID |
AwsSecurityFinding.compliance().relatedRequirements | Compliance requirements (multivalued) |
AwsSecurityFinding.compliance().status | Status |
AwsSecurityFinding.confidence | Confidence |
AwsSecurityFinding.createdAt | Created at |
AwsSecurityFinding.description | Description |
AwsSecurityFinding.firstObservedAt | First observed at |
AwsSecurityFinding.generatorId | Rule ID |
AwsSecurityFinding.id | Finding ID |
AwsSecurityFinding.lastObservedAt | Last observed at |
AwsSecurityFinding.productFields["aws/securityhub/CompanyName"] | Company name |
AwsSecurityFinding.productFields["aws/securityhub/ProductName"] | Product name |
AwsSecurityFinding.productFields["ControlId"] | Control ID |
AwsSecurityFinding.recordState | Record state |
AwsSecurityFinding.remediation().recommendation().text | Recommendation |
AwsSecurityFinding.severity().label | Severity label |
AwsSecurityFinding.severity().normalized | Severity |
AwsSecurityFinding.title | Title |
AwsSecurityFinding.types | Types (multivalued) |
AwsSecurityFinding.updatedAt | Updated at |
AwsSecurityFinding.workflow().status | Workflow status |
MD5 of Resource.id + AwsSecurityFinding.id | UID |
Resource.id | Resource ID |
Resource.region | Resource region |
Resource.type | Resource type |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Finding
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
region / regions | Comma-separated list of regions to query (one client per region). | Resolved from configuration / default region provider chain | |
maxResults | Page size for each GetFindings call. | Shared pageSize configuration (100) | |
Severity | Filters by severity label(s) (EQUALS match). Multi-valued. | none (no severity filter) | |
ComplianceStatus | Filters by compliance status (EQUALS match). Multi-valued. | FAILED | |
RecordState | Filters by record state (EQUALS match). Multi-valued. | ACTIVE | |
WorkflowStatus | Filters by workflow status (EQUALS match). Multi-valued. | none (no workflow filter) |
Delta sync
Supported.
API
- Type: AWS SDK for Java v2 (
SecurityHubClient) · Endpoint:securityhub:GetFindings - Default filters:
ComplianceStatus = FAILEDandRecordState = ACTIVEare applied unless
Changelog
The Amazon Security Hub connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | No changes in this release. | N/A |
| 3.1.0 | Improvements - Sync failures are now visible. Previously, certain AWS API errors (throttling, server errors, transient network failures, validation errors) could be silently swallowed during multi-region sync, producing empty results without indicating a problem. These now surface as sync failures with a clear log entry detailing the HTTP status, AWS error code, request id, and service name. Per-region permission gaps (HTTP 401 / 403) still allow the sync to continue across other regions, but are now visible in logs. | N/A |