Skip to main content
With the AWS Security Hub integration, you can automatically send alerts from Plerion into AWS Security Hub. Alerts can include findings based on parameters you define, such as risk score, publicly exposed resources, sensitive data, or administrative privileges.
Note: This is a one-way outbound integration. Alerts created or updated in Plerion will appear in AWS Security Hub, but changes made directly in Security Hub will not sync back to Plerion.

Steps to integrate AWS Security Hub with Plerion

1

On the Plerion dashboard, go to Settings > Integrations

Integrations menu on the navigation sidebar
2

Find Security Hub and click the + button

Integrations page with Security Hub option and plus button
3

Enter a name for your integration

AWS Security Hub integration page with Integration name field
4

Click Add to save the integration

5

Accept findings in AWS Security Hub

Open the AWS Security Hub console and accept findings from Plerion.
AWS Security Hub console showing prompt to accept Plerion findings

Steps to remove AWS Security Hub integration

1

Delete the integration in Plerion

Go to the integration information page and click the icon.
Plerion interface showing delete integration option
2

Stop accepting findings in AWS Security Hub

In the AWS Security Hub console, stop accepting findings from Plerion.
AWS Security Hub console showing disable findings option for Plerion

Architecture

AWS Security Hub integration architecture diagram
Plerion alerts are routed through Amazon EventBridge and Amazon SQS to an AWS Lambda function. Lambda processes alerts in batches, validates them, and delivers them to Security Hub in AWS Security Finding Format (ASFF).
  • Delivery status and alert state are tracked in a database.
  • Failed deliveries are stored in a Dead-Letter Queue (DLQ) for review and resubmission.
This ensures reliability and consistency when sending findings to Security Hub.

FAQ

  1. How long does it take for findings to appear in AWS Security Hub?
    Findings are delivered within 2–3 minutes of being generated in Plerion.
  2. How is the Plerion risk score mapped to the ASFF severity label?
    Risk scoreASFF severity label
    0.0INFORMATIONAL
    0.1–3.999LOW
    4.0–6.999MEDIUM
    7.0–8.999HIGH
    9.0–10.0CRITICAL
  3. How are alerts mapped to ASFF findings?
    Alerts are transformed into AWS Security Finding Format (ASFF) objects. Example:     
    {
  "SchemaVersion": "2018-10-08",
  "Id": "<prn>/<workflowId>/<openedAtExecutionTimestamp>",
  "ProductName": "Plerion Workflow Engine",
  "CompanyName": "Plerion",
  "GeneratorId": "<integrationId>",
  "Types": ["Software and Configuration Checks"],
  "FirstObservedAt": "<openedAtExecutionTimestamp>",
  "Title": "<alertTitle>",
  "Description": "<alertSummary>",
  "ProductFields": {
    "IntegrationId": "<integrationId>",
    "IntegrationName": "<integrationName>",
    "WorkflowId": "<workflowId>",
    "WorkflowName": "<workflowName>",
    "TenantId": "<tenantId>",
    "TenantName": "<tenantName>"
  },
  "Resources": [
    {
      "Type": "<resourceTypeMappedToASFF>",
      "Id": "<fullResourceName>"
    }
  ],
  "Workflow": {
    "Status": "NEW"
  },
  "FindingProviderFields": {
    "Severity": {
      "Label": "<riskScoreMappedToASFF>"
    }
  }
}