Docs Concepts

Security Findings

How Opsitron ingests, triages, and remediates AWS Security Hub findings.

Opsitron integrates with AWS Security Hub to automatically ingest security findings across your AWS accounts, triage them by severity, and optionally generate remediation requests.

How It Works

AWS Security Hub continuously evaluates your resources against security standards (CIS AWS Foundations, NIST 800-53, AWS Foundational Security Best Practices). When a finding is detected, it’s sent to Opsitron via EventBridge.

Security Hub → EventBridge → Opsitron Webhook → Finding Record → Triage → Request

Ingestion

Findings arrive in real-time via an EventBridge API Destination configured during onboarding. Each finding includes:

  • Severity — Critical, High, Medium, Low, Informational
  • Resource — The specific AWS resource affected (S3 bucket, IAM role, EC2 instance, etc.)
  • Standard — Which compliance standard flagged it (CIS, NIST, AWS Best Practices)
  • Account — Which AWS account the finding originated from
  • Status — New, Updated, Resolved

Triage

When a finding is ingested, Opsitron:

  1. Deduplicates — Groups related findings for the same resource
  2. Maps to infrastructure — Identifies which application and environment owns the affected resource
  3. Prioritizes — Ranks by severity and compliance impact
  4. Presents for review — Staff can view findings in the portal, filter by severity, account, or status

Remediation

For findings that require action, staff can:

  • Create a remediation request — Opsitron generates an infrastructure change request to fix the finding. The AI agent understands the finding type and proposes an appropriate fix.
  • Dismiss — Mark findings as acceptable risk with a reason
  • Defer — Acknowledge but schedule remediation for later

What Gets Flagged

Common findings Opsitron surfaces:

FindingSeverityExample Remediation
S3 bucket without encryptionHighEnable AES-256 or KMS encryption
Public S3 bucketCriticalAdd public access block
IAM policy with wildcard actionsHighScope to specific actions
Security group with 0.0.0.0/0MediumRestrict to known CIDRs
RDS without encryption at restHighEnable encryption (requires recreation)
CloudTrail not enabledHighEnable in all regions
KMS key rotation disabledMediumEnable automatic rotation
Root account access keysCriticalRemove and use IAM users

Compliance Standards

Opsitron supports findings from all Security Hub standards:

  • CIS AWS Foundations Benchmark v1.4, v3.0
  • NIST 800-53 v5.0
  • AWS Foundational Security Best Practices v1.0
  • PCI DSS v3.2.1

Findings from multiple standards are correlated — a single misconfiguration that triggers alerts in both CIS and NIST is shown as one finding with multiple standard references.

Finding Lifecycle

New → Triaged → In Progress → Resolved
         ↓
     Dismissed / Deferred
  • New — Just ingested, awaiting triage
  • Triaged — Mapped to an application/environment, ready for action
  • In Progress — A remediation request has been created
  • Resolved — The finding is fixed (confirmed by Security Hub re-evaluation)
  • Dismissed — Accepted risk, won’t be remediated
  • Deferred — Will be addressed later, tracked with a reason

Visibility

The Opsitron portal shows:

  • Finding dashboard — Overview of open findings by severity and account
  • Per-client view — Findings scoped to each client’s AWS accounts
  • Activity feed — Finding events in the client’s activity timeline
  • Request linkage — Each remediation request links back to the finding that triggered it
AI Agents