NOTE: This API is for beta purposes only. Kindly email cs@horangi.com for access
Warden’s CSPM Checks API can also output CSPM Checks into the AWS Security Finding Format (ASFF) for supported resource types. The ASFF format is used in AWS Security Hub so you can immediately import Warden AWS findings and aggregate them with the rest of your Security Hub findings.
Request Format
To get an API response in ASFF format, put the following case-sensitive header in your request.
check-format: asff
For the ASFF format, you also need to include in the AWS account ID (e.g. 123456789012) where Security Hub is enabled, plus the region (e.g. us-east-1) Security Hub is enabled in. The API requires these two parameters for Warden to know which Security Hub setup will be receiving the data so that Security Hub can successfully import the exported findings.
Use this URL format when you want to request an ASFF response.
IMPORTANT: To export only findings (FAILED checks) to import into Security Hub, you will need to add the `results=fail` filter in the URL
https://api.horangi.com/v1/cspm/checks?results=fail&account_id=<AWS Account ID of Security Hub integration>®ion=<region of Security Hub integration>
To easily extract the API response to a file which you can then use to import into Security Hub, use a tool called jq to extract the data from the response.
curl --request GET \
--url '<YOUR REQUEST URL>' \
--header 'check-format: asff' \
--header 'x-api-key: YOUR API KEY' | jq '.data' > report.asff
To generate your own Warden API key, go to Managing API Keys
Example full query using cURL:
curl --request GET \
--url 'https://api.horangi.com/v1/cspm/checks?results=fail&account_id=123456789012®ion=us-east-1' \
--header 'check-format: asff' \
--header 'x-api-key: 5kx1os69VWWulg9m8W%dRyp@bxvAX%%wOudG4u1Gp4x8YQVb7m' | jq '.data' > report.asff
Are you seeing less results than you are expecting? Do note that:
- Only AWS resources are included in the response
- Only supported resources types will be included in the response
- By default, we only return 500 results per query. Refer to Pagination here for more details
You can also add in the same filters as the rest of the Checks API to further refine your results.
Query Response
Response Field |
Type |
Description |
data.[x].AwsAccountId |
String |
The AWS Account ID of the Security Hub instance |
data.[x].CreatedAt |
String |
The time this check was created. |
data.[x].Description |
String |
A short description of the check. Note: Because Security Hub only supports up to 1024 characters, longer descriptions are truncated. |
data.[x].GeneratorId |
String |
A Warden-generated identifier used in Security Hub: Format: <Check UID>//<Rule ID>//<Resource ID> |
data.[x].Id |
String |
The unique signature for this check. |
data.[x].ProductName |
String |
Name of the product Value: Warden (hardcoded) |
data.[x].CompanyName |
String |
Name of the company Value: Horangi (hardcoded) |
data.[x].ProductArn |
String |
The Amazon Resource Name (ARN) generated by Security Hub that uniquely identifies Warden after the product is registered with Security Hub. |
data.[x].Compliance.Status |
String |
Whether or not the resource passed or failed the compliance checks. Values: PASSED or FAILED |
data.[x].Resources[] |
Array |
The resource/s associated with the check |
data[x].Resources[y].Id |
String |
The cloud-native resource identifier of the check. |
data[x].Resources[y].Type |
String |
The resource type in ASFF format |
data[x].Resources[y].Region |
String |
The region the resource is located in |
data[x].SchemaVersion |
String |
The schema version that a finding is formatted for. The value of this field must be one of the officially published versions identified by AWS. The current release's AWS Security Finding Format schema version is 2018-10-08. |
data[x].Severity |
Object |
Defines the importance of a check. |
data[x].Severity.Label |
String |
The final severity of this check. Values:
|
data.[x].Title |
String |
The rule title of this check. |
data.[x].Types[] |
Array[String] |
The different compliance standards this check applies to. Note that not all the standards that Warden supports are supported by Security Hub. Supported Values:
|
data.[x].UpdatedAt |
String |
The last time a check was updated |
links.self |
URL |
The URL that generates this response |
links.next |
URL |
If not null, the URL to be used to request the next page of items. |
Importing Findings to Security Hub
To import the findings to Security Hub, assuming that the AWS CLI is already set up on your machine and you saved the results to a file, run this command:
aws securityhub batch-import-findings --findings file://<your findings file> --region <Region where Security Hub is located>
If the command ran successfully, you should then see this response after with the number of findings both successfully and unsuccessfully imported into Security Hub.
{
"FailedCount": number,
"FailedFindings": [
{
"ErrorCode": "string",
"ErrorMessage": "string",
"Id": "string"
}
],
"SuccessCount": number
}
You can then find the new Warden findings in Security Hub
Supported Resource Types
These are the following resource types that will be included in the ASFF-formatted finding response. These are the resources that both Warden and Security Hub support out of the box.
- ACM Certificate
- Auto Scaling Group
- Auto Scaling Launch Configuration
- CloudFormation Stack
- CloudFront Distribution
- CloudTrail Trail
- CloudWatch Alarm
- DynamoDB Table
- ECR Repository
- ECS Cluster
- ECS Container Instance
- ECS Service
- ECS Task Definition (Active)
- EC2 AMI
- EC2 Elastic IP Address
- EC2 Instance
- EC2 Network ACL
- EC2 Security Group
- EC2 Subnet
- EKS Cluster
- Elastic Beanstalk Environment
- ElasticSearch Domain
- Elastic Load Balancer v2
- Classic Load Balancer
- GuardDuty Detector
- IAM Group
- IAM Policy
- IAM Role
- IAM User
- Kinesis Data Stream
- KMS Key
- Lambda Function
- RDS DB Cluster
- RDS DB Instance
- RDS DB Snapshot
- Redshift Cluster
- S3 Bucket
- SageMaker Notebook Instance
- SecretsManager Secret
- SNS Topic
- SQS Queue
- VPC
- WAFv2 Access Control List