Automation Rules
Automation Rules is a core feature of NTC Security Tooling that provides seamless automation of AWS Security Hub findings through intelligent processing, enrichment, and notification control. Built on a serverless architecture (Lambda, Step Functions, EventBridge), they extend native Security Hub capabilities while maintaining full compatibility with the AWS Security Finding Format (ASFF).
Overview
The Automation Rules feature in NTC Security Tooling uses the same syntax as native Security Hub automation rules but processes findings through Step Functions instead of Security Hub's built-in engine. This approach eliminates native limitations while providing enhanced capabilities for finding enrichment, processing, and notification management.
Key Benefits
| Feature | NTC Automation Rules | Native Security Hub Rules |
|---|---|---|
| Rule Capacity | Unlimited rules per region | Limited to 100 rules per region |
| Processing Architecture | Step Functions with Lambda | Native Security Hub engine |
| Notification Control | SNS-based notifications with granular control | No notification management |
| Integration | Deep NTC ecosystem integration | Standalone Security Hub feature |
| Compatibility | Full ASFF syntax support | Full ASFF syntax support |
| Enrichment | Custom Lambda-based processing | Limited AWS-managed operations |
Common Use Cases
- Severity Adjustment: Automatically elevate findings to CRITICAL for business-critical resources
- Environment-Based Processing: Apply different policies based on account classification (production vs. development)
- False Positive Management: Suppress known false positives without manual intervention
- Notification Routing: Control SNS notification delivery to appropriate teams based on finding characteristics
- Automated Remediation: Send raw notifications to Lambda functions for automated response actions
- Compliance Automation: Automatically mark findings as suppressed for accepted risks or compensating controls
Implementation
Configuration
Configure automation rules in your NTC Security Tooling module:
module "ntc_security_tooling" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-security-tooling?ref=X.X.X"
securityhub_processing_settings = {
enable_processing = true
automation_rules = jsondecode(file("${path.module}/automation_rules.json"))
}
}
Rule Format
Automation rules follow the standard AWS Security Finding Format (ASFF) syntax. Rules can be defined in JSON or Terraform template language.
Basic Rule Structure
[
{
"IsTerminal": false,
"RuleName": "ELEVATE_CRITICAL_RESOURCES",
"RuleOrder": 10,
"RuleStatus": "ENABLED",
"Description": "Elevate severity for findings on critical resources",
"Criteria": {
"ProductName": [
{
"Comparison": "EQUALS",
"Value": "Security Hub"
}
],
"ResourceId": [
{
"Comparison": "CONTAINS",
"Value": "prod-critical"
}
]
},
"Actions": [
{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Severity": {
"Label": "CRITICAL"
},
"Note": {
"Text": "Elevated to CRITICAL - Business critical resource",
"UpdatedBy": "NTC Automation Rules"
}
}
}
]
}
]
Rule Properties
- IsTerminal: Set to
trueto stop rule processing after this rule executes - RuleName: Unique identifier for the rule
- RuleOrder: Determines execution order (lower numbers execute first)
- RuleStatus:
ENABLEDorDISABLED - Criteria: ASFF-based conditions for rule matching
- Actions: Operations to perform on matching findings
Advanced Features
Notification Suppression
NTC Security Tooling uses Amazon SNS to deliver notifications about security findings.
Automation Rules can control the notification delivery using the NTC_SUPPRESS_NOTIFICATION field in UserDefinedFields.
Suppression Types
| Value | Effect |
|---|---|
RAW | Suppresses raw JSON notifications (e.g. webhook, Lambda invocation) |
PRETTY | Suppresses formatted notifications (e.g. email, Slack messages) |
ALL | Suppresses all notification types |
Example: Suppress Inspector Pretty Notifications
[
{
"IsTerminal": false,
"RuleName": "SUPPRESS_INSPECTOR_PRETTY",
"RuleOrder": 10,
"RuleStatus": "ENABLED",
"Description": "Suppress email notifications for Inspector findings while keeping raw notifications for automated processing",
"Criteria": {
"ProductName": [
{
"Comparison": "EQUALS",
"Value": "Inspector"
}
]
},
"Actions": [
{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"UserDefinedFields": {
"NTC_SUPPRESS_NOTIFICATION": "PRETTY"
}
}
}
]
}
]
Finding Suppression vs Notification Suppression
- Finding Suppression: Marks findings as "SUPPRESSED" in Security Hub (changes workflow status)
- Notification Suppression: Controls SNS notification delivery without changing finding status in Security Hub
[
{
"IsTerminal": true,
"RuleName": "SUPPRESS_ATHENA_PRIMARY_WORKGROUP",
"RuleOrder": 40,
"RuleStatus": "ENABLED",
"Description": "Suppress Athena primary workgroup findings (always unencrypted by design)",
"Criteria": {
"ProductName": [
{
"Value": "Security Hub",
"Comparison": "EQUALS"
}
],
"Title": [
{
"Value": "Athena workgroups",
"Comparison": "PREFIX"
}
]
},
"Actions": [
{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Workflow": {
"Status": "SUPPRESSED"
},
"Note": {
"Text": "Suppressed - Primary workgroup is unencrypted by AWS design",
"UpdatedBy": "NTC Automation Rules"
}
}
}
]
}
]
Rule Processing
Execution Order
Rules execute in ascending order based on the RuleOrder value. When multiple rules affect the same finding or field, the rule with the highest order number takes precedence.
Terminal Rules
Setting IsTerminal: true stops rule processing after that rule executes. Use this for final decisions like permanent suppression or severity assignment.
Supported ASFF Fields
NTC Automation Rules support the same criteria and actions as native Security Hub rules, including:
Rule Criteria: AwsAccountId, ProductName, ResourceId, SeverityLabel, ComplianceStatus, WorkflowStatus, and more Rule Actions: Severity, Workflow, Note, UserDefinedFields, Confidence, Criticality, and more
For complete field reference, see the AWS Security Finding Format (ASFF) documentation.
Best Practices
- Clear Naming: Use descriptive rule names that indicate purpose and scope
- Logical Ordering: Place specific rules before general ones to ensure proper precedence
- Terminal Rules: Use
IsTerminal: truefor final decisions to prevent further processing - Testing: Validate rules in development environments before production deployment
- Version Control: Store rules in Git repositories alongside Terraform configurations
- Documentation: Document rule purpose and expected behavior for team collaboration
Troubleshooting
Common Issues
Rules Not Executing: Check Step Function execution history in AWS Console for detailed logs
Unexpected Results: Verify rule criteria match the exact ASFF field format and values
Rule Precedence: Review RuleOrder values and ensure terminal rules are positioned correctly
Debugging Steps
- Review CloudWatch logs for rule evaluation details
- Check Step Function execution history for processing flow
- Validate rule syntax against ASFF specification
- Test rules with sample findings before production deployment
Conclusion
The Automation Rules feature in NTC Security Tooling provides unlimited scalability and advanced processing capabilities while maintaining full compatibility with AWS Security Hub's native syntax. By leveraging SNS-based notifications with both pretty and raw formats, it enables sophisticated security finding automation at scale - from human-readable reports to automated remediation workflows. This reduces operational overhead and transforms security findings into actionable intelligence.