Skip to content

Add aws_securityhub.finding source indices to kibana_system role permissions #137866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 14, 2025
Merged

Add aws_securityhub.finding source indices to kibana_system role permissions #137866

merged 2 commits into from
Nov 14, 2025
+2 −0

Conversation

@kcreddy
Copy link
Contributor

@kcreddy kcreddy commented Nov 11, 2025
edited by brijesh-elastic
Loading

Adding logs-aws_securityhub.finding-* data stream indices to the kibana_system privileges. This is required for the latest transform to work.

Related: elastic/integrations#15932

Similar to #124074, #128350

@kcreddy kcreddy requested a review from a team as a code owner November 11, 2025 08:01
@kcreddy kcreddy changed the title Add aws_securityhub.finding source indices to kibana_system role perm… Add aws_securityhub.finding source indices to kibana_system role permissions Nov 11, 2025
@kcreddy kcreddy self-assigned this Nov 11, 2025
@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label v9.3.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Nov 11, 2025
@kcreddy kcreddy added >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team auto-backport Automatically create backport pull requests when merged Team:Cloud Security Meta label for Cloud Security team and removed needs:triage Requires assignment of a team area label v9.3.0 auto-backport Automatically create backport pull requests when merged labels Nov 11, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Nov 11, 2025

Pinging @elastic/es-security (Team:Security)

@kcreddy kcreddy added the v9.3.0 label Nov 11, 2025
@kcreddy kcreddy marked this pull request as draft November 11, 2025 12:13
@kcreddy kcreddy marked this pull request as ready for review November 13, 2025 04:28
@kcreddy
Copy link
Contributor Author

kcreddy commented Nov 13, 2025

@elasticsearchmachine test this please

@kcreddy kcreddy marked this pull request as draft November 13, 2025 04:35
@kcreddy kcreddy marked this pull request as ready for review November 14, 2025 03:45
azasypkin
azasypkin approved these changes Nov 14, 2025
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from the Kibana Platform Security perspective. Thanks for the updating spreadsheet that tracks owners of every Kibana System permission.

...va/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
"logs-google_scc.finding-*",
"logs-aws.securityhub_findings-*",
"logs-aws.securityhub_findings_full_posture-*",
"logs-aws_securityhub.finding-*",
Copy link
Member

@azasypkin azasypkin Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just out of curiosity: what is the difference in the data stored in "logs-aws.securityhub_findings-*" that we already have above and "logs-aws_securityhub.finding-*"? Is the former for the list of findings and the latter for the details of a specific finding or ...?

Copy link
Contributor Author

@kcreddy kcreddy Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.aws.amazon.com/securityhub/latest/userguide/what-are-securityhub-services.html
https://aws.amazon.com/blogs/aws/unify-your-security-with-the-new-aws-security-hub-for-risk-prioritization-and-response-at-scale-preview/

AWS rebranded existing AWS Security Hub to AWS Security Hub CSPM, and there's a new AWS SecurityHub that can provides additional correlation, contextualization, and visualization capabilities.
Our existing aws integration used logs-aws.securityhub_findings-* indices which only had CSPM capabilities, but this new integration aws_securityhub which uses "logs-aws_securityhub.finding-*" indices is going to have more capabilities as provided by the new AWS SecurityHub.

Copy link
Member

@azasypkin azasypkin Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see, thanks for the additional context!

@kcreddy kcreddy merged commit 9495281 into elastic:main Nov 14, 2025
40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azasypkin azasypkin azasypkin approved these changes

Assignees

@kcreddy kcreddy

Labels

external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Cloud Security Meta label for Cloud Security team Team:Security Meta label for security team v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kcreddy @elasticsearchmachine @azasypkin