Documentation
¶
Overview ¶
Package awssecurityhub defines the consolidated AWS Security Hub and Audit Manager integration definition.
Index ¶
- Constants
- Variables
- func Builder() registry.Builder
- type AssessmentPayload
- type AssessmentsCollect
- type AssessmentsConfig
- type AssumeRoleCredentialSchema
- type AuditManagerClientBuilder
- type FindingsConfig
- type HealthCheck
- type InstallationMetadata
- type SecurityHubClientBuilder
- type ServiceAccountCredentialSchema
- type UserInput
- type VulnerabilitiesCollect
Constants ¶
View Source
const ( // AccountScopeAll indicates operations should run across all accessible accounts AccountScopeAll = "all" // AccountScopeSpecific indicates operations should be limited to explicitly listed accounts AccountScopeSpecific = "specific" )
Variables ¶
View Source
var ( // ErrCredentialMetadataRequired indicates no credential metadata was provided ErrCredentialMetadataRequired = errors.New("awssecurityhub: credential metadata required") // ErrCredentialMetadataInvalid indicates credential metadata could not be decoded ErrCredentialMetadataInvalid = errors.New("awssecurityhub: credential metadata invalid") // ErrRoleARNMissing indicates the IAM role ARN is missing from the credential ErrRoleARNMissing = errors.New("awssecurityhub: roleArn required") // ErrRegionMissing indicates the home region is missing from the credential ErrRegionMissing = errors.New("awssecurityhub: homeRegion required") // ErrAWSConfigBuildFailed indicates the AWS SDK config could not be constructed ErrAWSConfigBuildFailed = errors.New("awssecurityhub: aws config build failed") // ErrDescribeHubFailed indicates DescribeHub failed ErrDescribeHubFailed = errors.New("awssecurityhub: describe hub failed") // ErrOperationConfigInvalid indicates operation config could not be decoded ErrOperationConfigInvalid = errors.New("awssecurityhub: operation config invalid") // ErrListAssessmentsFailed indicates ListAssessments failed ErrListAssessmentsFailed = errors.New("awssecurityhub: list assessments failed") // ErrAssessmentEncode indicates an assessment payload could not be serialized for ingest ErrAssessmentEncode = errors.New("awssecurityhub: assessment encode failed") // ErrFindingsFetchFailed indicates GetFindings failed ErrFindingsFetchFailed = errors.New("awssecurityhub: findings fetch failed") // ErrFindingEncode indicates a finding payload could not be serialized ErrFindingEncode = errors.New("awssecurityhub: finding encode failed") // ErrResultEncode indicates an operation result could not be serialized ErrResultEncode = errors.New("awssecurityhub: result encode failed") )
Functions ¶
Types ¶
type AssessmentPayload ¶
type AssessmentPayload struct {
// ID is the Audit Manager assessment identifier
ID string `json:"id,omitempty"`
// Name is the assessment display name
Name string `json:"name,omitempty"`
// ComplianceType is the compliance framework type for the assessment
ComplianceType string `json:"complianceType,omitempty"`
// Status is the current assessment status
Status string `json:"status,omitempty"`
// DelegationCount is the number of active delegations for the assessment
DelegationCount int32 `json:"delegationCount,omitempty"`
// CreationTime is when the assessment was created
CreationTime time.Time `json:"creationTime"`
// LastUpdated is when the assessment was last updated
LastUpdated time.Time `json:"lastUpdated"`
}
AssessmentPayload is the normalized assessment payload emitted for Finding ingest
type AssessmentsCollect ¶
type AssessmentsCollect struct{}
AssessmentsCollect collects AWS Audit Manager assessments for Finding ingest
func (AssessmentsCollect) IngestHandle ¶
func (a AssessmentsCollect) IngestHandle() types.IngestHandler
IngestHandle adapts assessment collection to the ingest operation registration boundary
func (AssessmentsCollect) Run ¶
func (AssessmentsCollect) Run(ctx context.Context, c *auditmanager.Client, cfg AssessmentsConfig) ([]types.IngestPayloadSet, error)
Run paginates through Audit Manager assessments and emits Finding ingest payloads
type AssessmentsConfig ¶
type AssessmentsConfig struct {
// Status filters assessments by enrollment status. Valid values: ACTIVE, INACTIVE. Empty returns all
Status string `` /* 135-byte string literal not displayed */
// MaxAssessments caps the total number of assessments returned; 0 means no limit
MaxAssessments int `` /* 137-byte string literal not displayed */
}
AssessmentsConfig holds per-invocation parameters for the assessments.collect operation
type AssumeRoleCredentialSchema ¶
type AssumeRoleCredentialSchema struct {
// RoleARN is the cross-account IAM role ARN Openlane should assume in the tenant environment
RoleARN string `` /* 154-byte string literal not displayed */
// ExternalID is the external ID required in the tenant role trust policy
ExternalID string `` /* 138-byte string literal not displayed */
// HomeRegion is the AWS region where Security Hub cross-region aggregation is managed
HomeRegion string `` /* 175-byte string literal not displayed */
// AccountID is the AWS account ID for reference in assessment summaries and run metadata
AccountID string `` /* 138-byte string literal not displayed */
// AccountScope controls whether collection covers all delegated accounts or a subset
AccountScope string `` /* 173-byte string literal not displayed */
// AccountIDs lists the specific AWS account IDs used when account scope is specific
AccountIDs []string `json:"accountIds,omitempty" jsonschema:"title=Account IDs,description=Required when accountScope is specific."`
// LinkedRegions limits findings collection to the listed source regions
LinkedRegions []string `` /* 144-byte string literal not displayed */
// SessionName is an optional STS session name override
SessionName string `json:"sessionName,omitempty" jsonschema:"title=Session Name,description=Optional STS session name override."`
// SessionDuration is an optional STS session duration override
SessionDuration string `json:"sessionDuration,omitempty" jsonschema:"title=Session Duration,description=Optional STS session duration (e.g. 1h)."`
}
AssumeRoleCredentialSchema holds the AWS assume-role and collection-scope inputs shared by the service clients
type AuditManagerClientBuilder ¶
type AuditManagerClientBuilder struct{}
AuditManagerClientBuilder builds AWS Audit Manager clients for one installation
func (AuditManagerClientBuilder) Build ¶
func (AuditManagerClientBuilder) Build(ctx context.Context, req types.ClientBuildRequest) (any, error)
Build constructs the AWS Audit Manager client using the shared AWS credential inputs
type FindingsConfig ¶
type FindingsConfig struct {
// MaxFindings caps the total number of findings returned; 0 means no limit
MaxFindings int `` /* 129-byte string literal not displayed */
}
FindingsConfig holds per-invocation execution controls for the vulnerabilities.collect operation
type HealthCheck ¶
type HealthCheck struct {
// HubARN is the Security Hub ARN
HubARN string `json:"hubArn,omitempty"`
// SubscribedAt is the Security Hub subscription timestamp
SubscribedAt string `json:"subscribedAt,omitempty"`
}
HealthCheck holds the result of an AWS Security Hub health check
func (HealthCheck) Handle ¶
func (h HealthCheck) Handle() types.OperationHandler
Handle adapts the health check to the generic operation registration boundary
func (HealthCheck) Run ¶
func (HealthCheck) Run(ctx context.Context, c *securityhub.Client) (json.RawMessage, error)
Run validates Security Hub access by calling DescribeHub
type InstallationMetadata ¶
type InstallationMetadata struct {
// RoleARN is the cross-account IAM role ARN Openlane assumes for this installation
RoleARN string `json:"roleArn,omitempty" jsonschema:"title=IAM Role ARN"`
// HomeRegion is the AWS region used for Security Hub aggregation and API calls
HomeRegion string `json:"homeRegion,omitempty" jsonschema:"title=Home Region"`
// AccountID is the primary AWS account identifier when supplied during setup
AccountID string `json:"accountId,omitempty" jsonschema:"title=Account ID"`
// AccountScope indicates whether collection targets all delegated accounts or a specific set
AccountScope string `json:"accountScope,omitempty" jsonschema:"title=Account Scope"`
// AccountIDs lists the explicitly selected AWS account identifiers when account scope is specific
AccountIDs []string `json:"accountIds,omitempty" jsonschema:"title=Account IDs"`
// LinkedRegions limits collection to the listed AWS source regions when configured
LinkedRegions []string `json:"linkedRegions,omitempty" jsonschema:"title=Linked Regions"`
}
InstallationMetadata holds the non-secret AWS connection attributes persisted for one installation
func (InstallationMetadata) InstallationIdentity ¶
func (m InstallationMetadata) InstallationIdentity() types.IntegrationInstallationIdentity
InstallationIdentity implements types.InstallationIdentifiable
type SecurityHubClientBuilder ¶
type SecurityHubClientBuilder struct{}
SecurityHubClientBuilder builds AWS Security Hub clients for one installation
func (SecurityHubClientBuilder) Build ¶
func (SecurityHubClientBuilder) Build(ctx context.Context, req types.ClientBuildRequest) (any, error)
Build constructs the AWS Security Hub client using the shared AWS credential inputs
type ServiceAccountCredentialSchema ¶
type ServiceAccountCredentialSchema struct {
// AccessKeyID is an service account credential when runtime IAM is unavailable
AccessKeyID string `` /* 139-byte string literal not displayed */
// SecretAccessKey is the AWS secret access key for static credentials
SecretAccessKey string `json:"secretAccessKey" jsonschema:"required,title=Secret Access Key"`
// SessionToken is the AWS session token for static credentials
SessionToken string `json:"sessionToken,omitempty" jsonschema:"title=Session Token"`
}
ServiceAccountCredentialSchema is the service account based credential schema
type UserInput ¶
type UserInput struct {
// FilterExpr limits imported records to envelopes matching the CEL expression
FilterExpr string `` /* 137-byte string literal not displayed */
}
UserInput holds installation-specific configuration collected from the user
type VulnerabilitiesCollect ¶
type VulnerabilitiesCollect struct{}
VulnerabilitiesCollect collects AWS Security Hub findings
func (VulnerabilitiesCollect) IngestHandle ¶
func (v VulnerabilitiesCollect) IngestHandle() types.IngestHandler
IngestHandle adapts vulnerabilities collection to the ingest operation registration boundary
func (VulnerabilitiesCollect) Run ¶
func (VulnerabilitiesCollect) Run(ctx context.Context, c *securityhub.Client, cfg FindingsConfig) ([]types.IngestPayloadSet, error)
Run collects Security Hub findings
Source Files
Click to show internal directories.
Click to hide internal directories.