awssecurityhub

package
v1.18.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2026 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package awssecurityhub defines the consolidated AWS Security Hub, AWS IAM, and AWS Config integration definition.

Index

Constants

View Source 
const (
	// AccountScopeAll indicates operations should run across all accessible accounts
	AccountScopeAll = "all"
	// AccountScopeSpecific indicates operations should be limited to explicitly listed accounts
	AccountScopeSpecific = "specific"
)

Variables

View Source 
var (
	// ErrCredentialMetadataRequired indicates no credential metadata was provided
	ErrCredentialMetadataRequired = errors.New("awssecurityhub: credential metadata required")
	// ErrCredentialMetadataInvalid indicates credential metadata could not be decoded
	ErrCredentialMetadataInvalid = errors.New("awssecurityhub: credential metadata invalid")
	// ErrRoleARNMissing indicates the IAM role ARN is missing from the credential
	ErrRoleARNMissing = errors.New("awssecurityhub: roleArn required")
	// ErrRegionMissing indicates the home region is missing from the credential
	ErrRegionMissing = errors.New("awssecurityhub: homeRegion required")
	// ErrAWSConfigBuildFailed indicates the AWS SDK config could not be constructed
	ErrAWSConfigBuildFailed = errors.New("awssecurityhub: aws config build failed")
	// ErrDescribeHubFailed indicates DescribeHub failed
	ErrDescribeHubFailed = errors.New("awssecurityhub: describe hub failed")
	// ErrDescribeHubFailed indicates DescribeHub failed
	ErrSecurityHubNotEnabled = errors.New("awssecurityhub: security hub not enabled for account")
	// ErrOperationConfigInvalid indicates operation config could not be decoded
	ErrOperationConfigInvalid = errors.New("awssecurityhub: operation config invalid")
	// ErrListAssessmentsFailed indicates ListAssessments failed
	ErrListAssessmentsFailed = errors.New("awssecurityhub: list assessments failed")
	// ErrAssessmentEncode indicates an assessment payload could not be serialized for ingest
	ErrAssessmentEncode = errors.New("awssecurityhub: assessment encode failed")
	// ErrFindingsFetchFailed indicates GetFindings failed
	ErrFindingsFetchFailed = errors.New("awssecurityhub: findings fetch failed")
	// ErrFindingEncode indicates a finding payload could not be serialized
	ErrFindingEncode = errors.New("awssecurityhub: finding encode failed")
	// ErrResultEncode indicates an operation result could not be serialized
	ErrResultEncode = errors.New("awssecurityhub: result encode failed")
	// ErrConfigRulesFetchFailed indicates DescribeConfigRules failed
	ErrConfigRulesFetchFailed = errors.New("awsconfig: config rules fetch failed")
	// ErrConfigControlEncode indicates a config rule could not be serialized for ingest
	ErrConfigControlEncode = errors.New("awsconfig: config control encode failed")
	// ErrControlCatalogFetchFailed indicates ListControls failed
	ErrControlCatalogFetchFailed = errors.New("awsconfig: control catalog fetch failed")
	// ErrCatalogControlEncode indicates a control catalog entry could not be serialized for ingest
	ErrCatalogControlEncode = errors.New("awsconfig: catalog control encode failed")
	// ErrIAMUsersFetchFailed indicates ListUsers failed
	ErrIAMUsersFetchFailed = errors.New("awsiam: IAM users fetch failed")
	// ErrIAMGroupsFetchFailed indicates ListGroups failed
	ErrIAMGroupsFetchFailed = errors.New("awsiam: IAM groups fetch failed")
	// ErrIAMGroupsForUserFetchFailed indicates ListGroupsForUser failed
	ErrIAMGroupsForUserFetchFailed = errors.New("awsiam: IAM groups for user fetch failed")
	// ErrDirectorySyncPayloadEncode indicates a directory sync payload could not be serialized for ingest
	ErrDirectorySyncPayloadEncode = errors.New("awsiam: directory sync payload encode failed")
)

Functions

func Builder 

func Builder(cfg Config) registry.Builder

Builder returns the AWS Security Hub definition builder with the supplied operator config applied

Types

type AssetSync added in v1.18.0 

type AssetSync struct {
	// Disable will stop any of this type of ingest from being performed
	Disable bool `json:"disable,omitempty" jsonschema:"title=Disable,description=Disable the syncing of assets from AWS"`
	// FilterExpr limits imported records to envelopes matching the CEL expression
	FilterExpr string `` /* 137-byte string literal not displayed */
}

AssetSync are the configuration settings for the asset sync

func (AssetSync) IngestHandle added in v1.18.0 

func (d AssetSync) IngestHandle() types.IngestHandler

IngestHandle adapts IAM directory sync to the ingest operation registration boundary

func (AssetSync) Run added in v1.18.0 

func (AssetSync) Run(_ context.Context, _ *configservice.Client, _ AssetSync) ([]types.IngestPayloadSet, error)

Run collects AWS IAM users, and optionally groups and memberships

type AssumeRoleCredentialSchema 

type AssumeRoleCredentialSchema struct {
	// RoleARN is the cross-account IAM role ARN Openlane should assume in the tenant environment
	RoleARN string `` /* 166-byte string literal not displayed */
	// ExternalID is the external ID required in the tenant role trust policy
	ExternalID string `` /* 172-byte string literal not displayed */
	// HomeRegion is the AWS region where Security Hub cross-region aggregation is managed
	HomeRegion string `` /* 175-byte string literal not displayed */
	// AccountID is the AWS account ID for reference in assessment summaries and run metadata
	AccountID string `` /* 138-byte string literal not displayed */
	// AccountScope controls whether collection covers all delegated accounts or a subset
	AccountScope string `` /* 173-byte string literal not displayed */
	// AccountIDs lists the specific AWS account IDs used when account scope is specific
	AccountIDs []string `json:"accountIds,omitempty"      jsonschema:"title=Account IDs,description=Required when accountScope is specific."`
	// LinkedRegions limits findings collection to the listed source regions
	LinkedRegions []string `` /* 144-byte string literal not displayed */
	// SessionName is an optional STS session name override
	SessionName string `json:"sessionName,omitempty"     jsonschema:"title=Session Name,description=Optional STS session name override."`
	// SessionDuration is an optional STS session duration override
	SessionDuration string `json:"sessionDuration,omitempty" jsonschema:"title=Session Duration,description=Optional STS session duration (e.g. 1h)."`
}

AssumeRoleCredentialSchema holds the AWS assume-role and collection-scope inputs shared by the service clients

type CheckSync added in v1.18.0 

type CheckSync struct {
	// Disable will stop any of this type of ingest from being performed
	Disable bool `json:"disable,omitempty" jsonschema:"title=Disable,description=Disable the syncing of checks from AWS Config"`
	// FilterExpr limits imported records to envelopes matching the CEL expression
	FilterExpr string `` /* 237-byte string literal not displayed */
}

CheckSync are the configuration settings for the check sync from AWS Config

func (CheckSync) IngestHandle added in v1.18.0 

func (d CheckSync) IngestHandle() types.IngestHandler

IngestHandle adapts IAM directory sync to the ingest operation registration boundary

func (CheckSync) Run added in v1.18.0 

func (CheckSync) Run(_ context.Context, _ *configservice.Client, _ CheckSync) ([]types.IngestPayloadSet, error)

Run collects AWS IAM users, and optionally groups and memberships

type Config added in v1.18.0 

type Config struct {
	// AccessKeyID is the AWS access key ID for Openlane's source identity used when assuming cross-account roles
	AccessKeyID string `json:"accessKeyId" koanf:"accesskeyid" sensitive:"true"`
	// SecretAccessKey is the AWS secret access key for Openlane's source identity
	SecretAccessKey string `json:"secretAccessKey" koanf:"secretaccesskey" sensitive:"true"`
	// ARN is the Openlane ARN that is used as the Principal that is allowed to use the assume role
	ARN string `json:"arn" koanf:"arn"`
}

Config holds operator-level credentials for the AWS Security Hub definition

type ConfigServiceClientBuilder added in v1.18.0 

type ConfigServiceClientBuilder struct {
	// contains filtered or unexported fields
}

ConfigServiceClientBuilder builds AWS Config clients for one installation

func (ConfigServiceClientBuilder) Build added in v1.18.0 

func (b ConfigServiceClientBuilder) Build(ctx context.Context, req types.ClientBuildRequest) (any, error)

Build constructs the AWS Config client using the shared AWS credential inputs

type DirectorySync added in v1.18.0 

type DirectorySync struct {
	// Disable is used to disable the directory sync operation from aws
	Disable bool `json:"disable,omitempty" jsonschema:"title=Disable,description=Disable the syncing of users and groups from AWS IAM"`
	// DisableGroupSync will just sync users and no groups or group memberships
	DisableGroupSync bool `` /* 144-byte string literal not displayed */
	// FilterExpr limits imported records to envelopes matching the CEL expression
	FilterExpr string `` /* 196-byte string literal not displayed */
}

func (DirectorySync) IngestHandle added in v1.18.0 

func (d DirectorySync) IngestHandle() types.IngestHandler

IngestHandle adapts IAM directory sync to the ingest operation registration boundary

func (DirectorySync) Run added in v1.18.0 

func (DirectorySync) Run(ctx context.Context, client *iam.Client, cfg DirectorySync) ([]types.IngestPayloadSet, error)

Run collects AWS IAM users, and optionally groups and memberships

type FindingSync added in v1.18.0 

type FindingSync struct {
	// MaxFindings caps the total number of findings returned; 0 means no limit
	MaxFindings int `` /* 129-byte string literal not displayed */
}

FindingSync holds per-invocation execution controls for the vulnerabilities.collect operation

type FindingSyncConfig added in v1.18.0 

type FindingSyncConfig struct {
	// Disable will stop any of this type of ingest from being performed
	Disable bool `json:"disable,omitempty" jsonschema:"title=Disable,description=Disable the syncing of findings from AWS Security Hub"`
	// FilterExpr limits imported records to envelopes matching the CEL expression
	FilterExpr string `` /* 227-byte string literal not displayed */
}

FindingSyncConfig are configuration settings for the findings sync

type FindingsCollect added in v1.18.0 

type FindingsCollect struct{}

FindingsCollect collects AWS Security Hub findings

func (FindingsCollect) IngestHandle added in v1.18.0 

func (v FindingsCollect) IngestHandle() types.IngestHandler

IngestHandle adapts vulnerabilities collection to the ingest operation registration boundary

func (FindingsCollect) Run added in v1.18.0 

func (FindingsCollect) Run(ctx context.Context, c *securityhub.Client, credentials types.CredentialBindings, cfg FindingSync) ([]types.IngestPayloadSet, error)

Run collects Security Hub findings

type HealthCheck 

type HealthCheck struct {
	// HubARN is the Security Hub ARN
	HubARN string `json:"hubArn,omitempty"`
	// SubscribedAt is the Security Hub subscription timestamp
	SubscribedAt string `json:"subscribedAt,omitempty"`
}

HealthCheck holds the result of an AWS Security Hub health check

func (HealthCheck) Handle 

func (h HealthCheck) Handle() types.OperationHandler

Handle adapts the health check to the generic operation registration boundary

func (HealthCheck) Run 

func (HealthCheck) Run(ctx context.Context, c *securityhub.Client) (json.RawMessage, error)

Run validates Security Hub access by calling DescribeHub

type IAMClientBuilder added in v1.18.0 

type IAMClientBuilder struct {
	// contains filtered or unexported fields
}

IAMClientBuilder builds AWS IAM clients for one installation

func (IAMClientBuilder) Build added in v1.18.0 

func (b IAMClientBuilder) Build(ctx context.Context, req types.ClientBuildRequest) (any, error)

Build constructs the AWS IAM client using the shared AWS credential inputs

type InstallationMetadata 

type InstallationMetadata struct {
	// RoleARN is the cross-account IAM role ARN Openlane assumes for this installation
	RoleARN string `json:"roleArn,omitempty" jsonschema:"title=IAM Role ARN"`
	// HomeRegion is the AWS region used for Security Hub aggregation and API calls
	HomeRegion string `json:"homeRegion,omitempty" jsonschema:"title=Home Region"`
	// AccountID is the primary AWS account identifier when supplied during setup
	AccountID string `json:"accountId,omitempty" jsonschema:"title=Account ID"`
	// AccountScope indicates whether collection targets all delegated accounts or a specific set
	AccountScope string `json:"accountScope,omitempty" jsonschema:"title=Account Scope"`
	// AccountIDs lists the explicitly selected AWS account identifiers when account scope is specific
	AccountIDs []string `json:"accountIds,omitempty" jsonschema:"title=Account IDs"`
	// LinkedRegions limits collection to the listed AWS source regions when configured
	LinkedRegions []string `json:"linkedRegions,omitempty" jsonschema:"title=Linked Regions"`
}

InstallationMetadata holds the non-secret AWS connection attributes persisted for one installation

func (InstallationMetadata) InstallationIdentity 

func (m InstallationMetadata) InstallationIdentity() types.IntegrationInstallationIdentity

InstallationIdentity implements types.InstallationIdentifiable

type SecurityHubClientBuilder 

type SecurityHubClientBuilder struct {
	// contains filtered or unexported fields
}

SecurityHubClientBuilder builds AWS Security Hub clients for one installation

func (SecurityHubClientBuilder) Build 

func (b SecurityHubClientBuilder) Build(ctx context.Context, req types.ClientBuildRequest) (any, error)

Build constructs the AWS Security Hub client using the shared AWS credential inputs

type ServiceAccountCredentialSchema 

type ServiceAccountCredentialSchema struct {
	// AccessKeyID is an service account credential when runtime IAM is unavailable
	AccessKeyID string `` /* 139-byte string literal not displayed */
	// SecretAccessKey is the AWS secret access key for static credentials
	SecretAccessKey string `json:"secretAccessKey" jsonschema:"required,title=Secret Access Key"`
	// SessionToken is the AWS session token for static credentials
	SessionToken string `json:"sessionToken,omitempty"    jsonschema:"title=Session Token"`
}

ServiceAccountCredentialSchema is the service account based credential schema

type UserInput 

type UserInput struct {
	// FindingSync includes the configuration for findings from AWS Security Hub
	FindingSync FindingSyncConfig `json:"findingSync,omitempty" jsonschema:"title=AWS Security Hub Sync"`
	// DirectorySync includes the configuration for identity accounts from AWS IAM
	DirectorySync DirectorySync `json:"directorySync,omitempty" jsonschema:"title=Directory Account Sync"`
	// CheckSync includes the configuration for rules from AWS Config
	CheckSync CheckSync `json:"checkSync,omitempty" jsonschema:"title=AWS Config Rule Sync"`
	// AssetSync includes the configuration for assets from AWS
	AssetSync AssetSync `json:"assetSync,omitempty" jsonschema:"title=AWS Asset Sync"`
}

UserInput holds installation-specific configuration collected from the user

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.