Integrating Symantec Cloud Workload Protection with AWS Security Hub
Last Updated July 22, 2019
Configure Cloud Workload Protection to publish the anti-malware events to the AWS Security Hub. You can use the Cloud Workload Protection events and alerts, which are also known as findings from multiple AWS Services such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. The findings help you to aggregate, organize, and prioritize high security findings and gain better insight into your security in AWS. For more information about AWS Security Hub, refer to the AWS documentation.
Before you begin
If you do not already have an active subscription to Cloud Workload Protection, you can sign up for a free trial in the AWS Marketplace. To push the Cloud Workload Protection anti-malware events to the AWS Security Hub, you must update your AWS connection with AWS account and region details. You also require the following information:
AWS account ID - This is the AWS account ID for which you enabled the AWS Security Hub to publish the Cloud Workload Protection findings.
AWS Security Hub region - You mut know the region to which you will push Cloud Workload Protection findings.
In addition to this information, you also need to update the cross-account IAM role policy. The Cloud Workload Protection uses the IAM policy for your AWS account.
To push Anti-malware events to the AWS Security Hub
In the AWS console, go to the IAM > Roles , and search for the Cloud Workload Protection IAM role. The role is called CWPConnectionStack-role.
You need to edit your IAM role policy to allow the Cloud Workload Protection access the AWS Security Hub
Select the CWP IAM role policy, which is known as the SCWPIAMPolicy.
Press Edit Policy.
Select JSON and scroll down to line 54 of the policy
Enter in the following text:
Select Review Policy.
Press Save Changes
In the Cloud Workload Protection console, go to the Settings page and press AWS Connection.
Select a specific AWS connection in the Connection tab.
Press the AWS Security Hub tab and check the Publish events to AWS Security Hub checkbox.
Provide the AWS account ID and its Region for which you want to collect the events and press Save.