# Overview of third-party integration with AWS Security Hub CSPM
<a name="integration-overview"></a>

This guide is intended for AWS Partner Network (APN) Partners who would like to create an integration with AWS Security Hub CSPM.

As an APN Partner, you can integrate with Security Hub CSPM in one or more of the following ways.
+ Send findings to Security Hub CSPM
+ Consume findings from Security Hub CSPM
+ Both send findings to and consume findings from Security Hub CSPM
+ Use Security Hub CSPM as the center of a managed security service provider (MSSP) offering
+ Consult with AWS customers on how to deploy and use Security Hub CSPM

This onboarding guide primarily focuses on partners that send findings to Security Hub CSPM.

**Topics**
+ [

# Why integrate with AWS Security Hub CSPM?
](why-integrate.md)
+ [

# Preparing to send findings to AWS Security Hub CSPM
](prepare-send-findings.md)
+ [

# Preparing to receive findings from AWS Security Hub CSPM
](prepare-receive-findings.md)
+ [

# Resources for learning about AWS Security Hub CSPM
](sechub-information-resources.md)

# Why integrate with AWS Security Hub CSPM?
<a name="why-integrate"></a>

AWS Security Hub CSPM provides a comprehensive view of high-priority security alerts and security status across Security Hub CSPM accounts. Security Hub CSPM allows partners like you to send security findings to Security Hub CSPM to provide your customers with insight into the security findings that you generate.

An integration with Security Hub CSPM can add value in the following ways.
+ Satisfies your customers who have requested a Security Hub CSPM integration
+ Provides your customers with a single view of their AWS security-related findings
+ Allows new customers to discover your solution when they look for partners who provide findings related to specific types of security events

Before you build an integration with Security Hub CSPM, examine your reasons for the integration. An integration is more likely to be successful if your customers want a Security Hub CSPM integration with your product. You can build an integration purely for marketing reasons or to acquire new customers. However, if you build the integration without any current customer input and do not consider your customers' needs, the integration might not yield the expected results.

# Preparing to send findings to AWS Security Hub CSPM
<a name="prepare-send-findings"></a>

As an APN Partner, you cannot send information to Security Hub CSPM for your customers until the Security Hub CSPM team enables you as a finding provider. To be enabled as a finding provider, you must complete the following onboarding steps. Doing so ensures a positive experience Security Hub CSPM for you and your customers.

As you complete the onboarding steps, be sure to follow the guidelines in [Tenets for creating and updating findings](tenets-update-create-findings.md), [Guidelines for mapping findings into the AWS Security Finding Format (ASFF)](guidelines-asff-mapping.md), and [Guidelines for using the `BatchImportFindings` API](guidelines-batchimportfindings.md).

1. Map your security findings to the AWS Security Finding Format (ASFF).

1. Build your integration architecture to push findings to the correct Regional Security Hub CSPM endpoint. To do this, you define whether you will send findings from your own AWS account or from within your customer's accounts.

1. Have your customers subscribe the product to their account. To do this, they can use the console or the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_EnableImportFindingsForProduct.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_EnableImportFindingsForProduct.html) API operation. See [Managing product integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html) in the *AWS Security Hub User Guide*.

   You can also subscribe the product for them. To do this, you use a cross-account role to access the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_EnableImportFindingsForProduct.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_EnableImportFindingsForProduct.html) API operation on behalf of the customer.

   This step establishes the resource policies that are needed to accept findings from that product for that account.

The following blog posts discuss some of the existing partner integrations with Security Hub CSPM.
+ [Announcing Cloud Custodian Integration with AWS Security Hub CSPM](https://aws.amazon.com/blogs/opensource/announcing-cloud-custodian-integration-aws-security-hub/)
+ [Use AWS Fargate and Prowler to send security configuration findings about AWS services to Security Hub CSPM](https://aws.amazon.com/blogs/security/use-aws-fargate-prowler-send-security-configuration-findings-about-aws-services-security-hub/)
+ [How to import AWS Config rules evaluations as findings in Security Hub CSPM](https://aws.amazon.com/blogs/security/how-to-import-aws-config-rules-evaluations-findings-security-hub/)

# Preparing to receive findings from AWS Security Hub CSPM
<a name="prepare-receive-findings"></a>

To receive findings from AWS Security Hub CSPM, use one of the following options:
+ Have your customers automatically send all findings to CloudWatch Events. A customer can create specific CloudWatch event rules to send findings to specific targets, such as a SIEM or an S3 bucket. 
+ Have your customers select specific findings or groups of findings from within the Security Hub CSPM console and then take action on them.

For example, your customers can send findings to an SIEM, a ticketing system, a chat platform, or a remediation workflow. This would be part of an alert triage workflow that a customer performs within Security Hub CSPM.

These are called custom actions. When a user takes a custom action, a CloudWatch event is created for those specific findings. As a partner, you can leverage this capability and build CloudWatch event rules or targets for a customer to use as part of a custom action. Note that this capability does not automatically send all findings of a particular type or class to CloudWatch Events. This feature is for a user to take action on specific findings.

The following blog posts outline solutions that use the integration with Security Hub CSPM and CloudWatch Events for custom actions.
+ [How to Integrate AWS Security Hub CSPM Custom Actions with PagerDuty](https://aws.amazon.com/blogs/apn/how-to-integrate-aws-security-hub-custom-actions-with-pagerduty/)
+ [How to Enable Custom Actions in AWS Security Hub CSPM](https://aws.amazon.com/blogs/apn/how-to-enable-custom-actions-in-aws-security-hub/)
+ [How to import AWS Config rules evaluations as findings in Security Hub CSPM](https://aws.amazon.com/blogs/security/how-to-import-aws-config-rules-evaluations-findings-security-hub/)

# Resources for learning about AWS Security Hub CSPM
<a name="sechub-information-resources"></a>

The following materials can help you to better understand the AWS Security Hub CSPM solution and how AWS customers can use the service.
+ [Introduction to AWS Security Hub CSPM video](https://www.youtube.com/watch?v=o0NDi01YPXs)
+ [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)
+ [https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html)
+ [Onboarding webinar](https://pages.awscloud.com/aws-security-hub-partners-onboarding.html)

We also encourage you to enable Security Hub CSPM in one of your AWS accounts and get some hands-on experience with the service.