AWS Security Hub: HTTP Ingest

  • Updated on Nov 28, 2025
  • Published on Nov 17, 2025
  • 4 minute(s) read
Prev Next

AWS Security Hub centralizes and prioritizes security findings from AWS and third-party tools, providing a unified view of your security posture using compliance standards and a common format (ASFF). For detailed information refer to the AWS Security Hub’s official documentation.

Integration Method: HTTP Collector. Refer to this article for API ingestion

Tables: Data Security Finding [2006], Detection Finding [2004], Vulnerability Finding [2002], Compliance Finding [2003]

This integration supports the following events.

Event

Description

Findings

Get the list of AWS Security Hub Finding Events

Note:

AWS Security Hub doesn’t follow a traditional versioning system. It is a continuously updated cloud service.

Prerequisites

  • The user should have access to the AWS portal.

  • The user should have access to the Security Hub dashboard.

  • The user should have permissions to create EventBridge rules, connections, and API destinations.

  • The user should have access to the DataBee console.

Configuration Overview

  1. Create an AWS Security Hub HTTP Collector data feed in DataBee to receive and process Security Hub findings.

  2. Configure an EventBridge API Destination using the DataBee HTTP Collector URL and Authorization Key.

  3. Create an EventBridge Rule forward findings from AWS Security Hub to the configured API Destination.

The Event Bridge setup can be automated using Terraform scripts as described in this section.

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for AWS Security Hub and click on it as shown below.
     

  3. Click on the HTTP Collector option for collection method.
     

  4. Enter feed contact information and click Next.
     

  5. In the configuration page, confirm the following and click Next.

    • Format: Select JSON data format option.
       

  6. Use the Copy to clipboard button to copy the Endpoint URL and Tenant ID for later use, and then click Generate New API Key.

     

  7. Use the Copy to clipboard button to copy the API Key and keep it for later use.
     

  8. Click Submit.

  9. Go to Data tab > Data Feeds > Select the configured Data feed > Copy the DataSource ID for later use.
     

AWS Security Hub Configuration

Configure an EventBridge API Destination

  1. Log in to AWS using an account that has permissions to manage Amazon EventBridge and access AWS Security Hub findings. The user must have IAM permissions such as events: * (for creating and managing EventBridge rules) and securityhub:GetFindings (for accessing Security Hub findings) and open the EventBridge console.

    Note:

    * means all permissions in that category.


  2. In the left navigation pane, choose Integration > API destinations.
     

  3. Scroll down to the API destinations table and then choose Create API destination.

  4. On Create API destination,

    1. Enter a ‘Name’ for API Destination (The name must be unique to your account in the current Region)

    2. In the ‘API destination endpoint’ field, paste the HTTP URL from DataBee earlier.

    3. Select the ‘HTTP method’ as POST.

    4. In ‘Connection configuration’, select Create a new connection.
       

  5. For Connection configuration,

    1. Provide a ‘Connection name’.

    2. Under ‘Configure invocation’, keep Public as the ‘API Type’.
       

  6. Select API Key in the ‘Authorization type’.

    1. Enter the ‘API key name’ as Authorization.

    2. Paste the API key ‘value’ from DataBee.

    3. Click Create.

Create an EventBridge Rule

  1. Open the Amazon EventBridge Console.
     

  2. In the navigation pane, click Rules.
     

  3. Click on Create rule.
     

  4. Under Define rule detail,

    1. Provide a rule ‘Name’.

    2. Click Next.
       

  5. Under Build event pattern,

    1. Select AWS events or EventBridge partner events as an ‘Event source’.

    2. Set the ‘Event source’ for AWS services.

    3. Choose Security Hub as the ‘AWS service’.

    4. Select Finding Imported V2 in ‘Event type’.

  6. Click Next.

  7. Under Select target(s),

    1. Choose EventBridge API destination as ‘Target type’.

    2. Choose Use an existing API destination option for ‘API destination’ and select the API Destination created earlier in the API Destination section.

    3. Under add ‘Header Parameters’, Add the following three header parameters:

      1. Tenant ID

        Key: TenantID

        Value: Paste the Tenant ID from DataBee.

      2. Authorization

        Key: Authorization

        Value: Paste the API Key from DataBee.

      3. Datasource ID

        Key: DatasourceID

        Value: Paste the Datasource ID from DataBee.

  8. Click Next.
     

  9. Under Configure tags – optional, Click Next.
     

  10. Review all configuration details of the rule and click on Create rule.
     

Optional: EventBridge Configuration via Terraform

As an alternative, the EventBridge configuration can be automated by using Terraform scripts. The scripts can be found as files on the right hand column of this article.

Prerequisite

Configuration Steps

  1. Set Up AWS Credentials

    1. Configure the AWS credentials using the following environment variables:

      1. AWS_ACCESS_KEY_ID

      2. AWS_SECRET_ACCESS_KEY

    2. For more details, see the Terraform AWS Provider Documentation.

  2. Update Terraform Configuration Files

    1. Update the variables defined in the aws_securityhub_terraform.tfvars file.

    2. Update the region parameter in the AWS provider block within aws_securityhub_main.tf to match the target deployment region.

  3. Deploy the Infrastructure

    1. Execute the following Terraform commands in sequence:

      terraform init
terraform apply

Troubleshooting Tips

  1. How can I check if my account has permission to manage EventBridge?
    In the AWS Management Console, go to EventBridgeRules. If you can view, create, or edit rules, your account has the required permissions. If the option is disabled or you see an “Access Denied” message, contact your administrator to verify your IAM permissions.

  2. Why am I not seeing Security Hub events in EventBridge?
    Make sure Security Hub is enabled in the same region and that EventBridge has an active rule with the event source set to aws.securityhub.

  3. My rule is not triggering — what should I check?
    Verify that the rule state is set to Enabled, the event pattern matches Security Hub findings, and the target (API destination) is active and reachable.

  4. How do I confirm that events are reaching my API destination?
    In EventBridge → API destinations → Monitoring, check invocation metrics or use CloudWatch Logs to verify delivery attempts.

  5. What if I see “Access Denied” when creating a rule or destination?
    Confirm that your IAM role includes the required actions:
    events:CreateConnection, events:CreateApiDestination, events:PutRule, and events:PutTargets.

For troubleshooting guidance, refer to the official DataBee HTTP Collector documentation.