Introduction
The Elastio Security Hub integration is a critical component that bridges your Elastio scanning ransomware resilience scanning operations with AWS Security Hub, providing centralized security monitoring and threat visibility across your AWS environment.
This Lambda-based integration automatically transforms security findings from Elastio's comprehensive scanning suite into standardized AWS Security Hub findings, enabling seamless security operations workflows.
It takes the detailed technical output from Elastio's malware detection, ransomware scanning, and file system checks, and presents them in AWS Security Hub's familiar interface where your security team already operates. Instead of juggling multiple dashboards, everything flows into one place where you can triage, investigate, and respond to threats.
How It Works
Core Architecture
The integration operates as an event-driven system that sits between Elastio's job execution engine and AWS Security Hub:
- Event Detection: The Lambda listens to Elastio's internal event bus for job completion events
- Finding Generation: Transforms job results into standardized Security Hub findings based on scan outcomes
- Batch Processing: Efficiently batches findings and imports them into Security Hub using AWS APIs
- Resource Mapping: Maps Elastio's asset identifiers to AWS resource types for proper correlation
Supported Scan Types
The integration handles three primary categories of Elastio operations:
iScan Results (Malware & Ransomware Detection):
- Malware detection findings with severity classification
- Ransomware detection with detailed threat indicators
- Failed scan notifications for operational awareness
- Unscannable asset reporting for coverage gaps
File System Checks:
- Corrupted file system detection
- Fixable vs. non-fixable file system errors
- Unsupported file system type notifications
- File system check failures and aborts
Job Status Monitoring:
- Failed job notifications for operational issues
- Aborted job tracking for incomplete scans
- Background job status with resource context
Finding Classification
All findings follow a consistent severity model:
- HIGH: Active threats detected (malware, ransomware, critical FS errors)
- MEDIUM: Operational issues, fixable problems, configuration gaps
- LOW: Informational findings about scan limitations
Installation
Prerequisites
Before deploying the Security Hub integration, ensure you have:
- AWS Security Hub enabled in your target regions
- Elastio Cloud Connector deployed and operational
- EventBridge access for the Lambda function
- S3 read permissions for job attachment downloads
- Security Hub write permissions for finding imports
Deployment Process
The Security Hub Lambda is deployed as part of the broader Elastio Cloud Connector infrastructure. The integration is automatically configured during deployment, but you can verify proper setup:
- Verify Lambda Deployment:
aws lambda get-function --function-name elastio-security-hub-integration
- Check EventBridge Rule:
aws events list-rules --name-prefix elastio-job-events
- Validate IAM Permissions:
aws iam get-role-policy --role-name elastio-security-hub-lambda-role --policy-name SecurityHubAccess
Configuration Parameters
The Lambda function uses the following environment variables:
- ELASTIO_REGION: AWS region for Elastio operations
- ELASTIO_ACCOUNT_ID: AWS account ID for resource identification
- LOG_LEVEL: Logging verbosity (INFO, DEBUG, WARN, ERROR)
- FINDINGS_BATCH_SIZE: Number of findings per Security Hub API call (default: 100)
Security Hub Setup
Ensure Security Hub is properly configured to receive Elastio findings:
- Enable Security Hub in all regions where Elastio scans operate
- Configure custom product if using a dedicated product ARN for Elastio findings
- Set up notification rules for high-severity findings if desired
- Configure finding filters to organize Elastio findings appropriately
Day-to-Day Usage
Monitoring Scan Results
Once operational, the integration works transparently. Security findings appear in Security Hub within minutes of scan completion:
Accessing Findings:
- Navigate to AWS Security Hub in your console
- Go to "Findings" section
- Filter by Company = "Elastio" to see all Elastio-generated findings
- Use the "Product Name" filter to distinguish between:
- "Elastio iScan" (malware/ransomware findings)
- "Elastio FS check" (file system findings)
- "Elastio Jobs Status" (operational findings)
Understanding Finding Details: Each finding includes:
- Resource identification: EC2 instances, EBS volumes, S3 buckets, etc.
- Scan context: Job ID, vault name, scan type
- Detailed descriptions: Technical details about detected issues
- Severity classification: Risk-based priority for response
- User-defined fields: Elastio-specific metadata for correlation
Responding to Threats
When high-severity findings appear:
- Immediate Assessment: Review the finding description for threat details
- Resource Investigation: Use the resource ARN to locate the affected asset
- Scope Analysis: Check for related findings from the same scan job
- Containment: Follow your incident response procedures for the identified threat type
- Remediation Tracking: Update finding status in Security Hub as you progress
Operational Monitoring
Monitor the integration health through:
CloudWatch Metrics:
- Lambda execution duration and error rates
- Security Hub API call success/failure rates
- Finding import batch sizes and timing
CloudWatch Logs:
- Detailed processing logs for troubleshooting
- Error messages for failed finding imports
- Job processing statistics
Security Hub Integration Status:
- Verify findings are appearing for recent scan jobs
- Check for any failed finding imports in CloudWatch logs
- Monitor finding volume trends to detect processing issues
Troubleshooting Common Issues
No Findings Appearing:
- Verify Security Hub is enabled in the scan region
- Check Lambda execution logs for errors
- Confirm EventBridge rules are triggering the Lambda
- Validate IAM permissions for Security Hub access
Incomplete Finding Details:
- Check S3 permissions for attachment downloads
- Review job completion status in Elastio
- Verify scan job included the expected scan types
Performance Issues:
- Monitor Lambda timeout settings for large batch processing
- Review finding batch size configuration
- Check for EventBridge throttling or backlog
Best Practices
Finding Management:
- Regularly review and update finding status to maintain clean workflows
- Use Security Hub's custom insights to track Elastio finding trends
- Set up automated notifications for critical findings
Resource Correlation:
- Leverage the ElastioJob and ElastioVault user-defined fields for tracking
- Cross-reference findings with Elastio's detailed scan reports when needed
- Use resource ARNs to correlate findings across multiple security tools
Monitoring and Alerting:
- Set up CloudWatch alarms for Lambda execution failures
- Monitor Security Hub API quotas to prevent import failures
- Track finding volume to ensure complete scan coverage
The Security Hub integration transforms Elastio from a standalone security scanning tool into a core component of your AWS security operations. By centralizing findings in Security Hub, your team can maintain their existing workflows while gaining the deep security insights that Elastio provides.