Emmanuel Chalokwu | Security Engineer

EMMANUEL CHALOKWU
Linkedin
Cloud Security Integration

Rapid7 InsightVM
AWS Security Hub

A serverless, API-driven integration that synchronizes vulnerability findings from Rapid7 InsightVM into AWS Security Hub — enabling centralized SOC visibility with zero infrastructure changes.

Integration Type API-Based · Serverless
Update Frequency Every 1 Hour
Runtime Python 3.13 · Lambda
Est. Cost ~$0.51 / month
Scroll
10
Unique CVEs Imported
2 Critical · 8 High
1hr
Sync Frequency
EventBridge scheduled
0
Infrastructure Changes
Fully agentless
ASFF
Output Format
AWS Security Finding Format

Project Overview

Centralized Vulnerability Visibility

This integration bridges Rapid7 InsightVM and AWS Security Hub, allowing SOC analysts to view vulnerability findings alongside GuardDuty threats and AWS Config compliance issues — all in a single unified dashboard.

The solution is fully serverless and agentless. An AWS Lambda function (Python 3.13) fetches vulnerability data from the Rapid7 API, transforms it into the AWS Security Finding Format (ASFF), and pushes it into Security Hub via the BatchImportFindings API.

Security Hub was deliberately enabled via CLI (not the console GUI) to bypass the automatic AWS Config enablement — avoiding unnecessary cost while retaining all the finding aggregation capabilities needed for this integration.

Business Value

Centralized Visibility
All security findings in one location
No Infrastructure Changes
Agentless, serverless integration
Automated Updates
Vulnerability data refreshes every hour
Cost Effective
Minimal AWS costs — Lambda + Security Hub only

System Architecture

How It Works

A simple, three-component serverless pipeline. EventBridge schedules the sync, Lambda orchestrates the data flow, and Security Hub aggregates the findings.

Architecture flow diagram

Integration Flow — Step by Step

Step 01
EventBridge Trigger

EventBridge rule fires every hour — no manual intervention, continuous synchronization.

Step 02 · 03
Rapid7 API Call

Lambda authenticates with Rapid7 API key and fetches the latest vulnerability data in JSON (100 records, 10 unique CVEs).

Step 04
Transform to ASFF

Lambda deduplicates records and maps Rapid7 format → AWS Security Finding Format, including CVSS scores and severity normalization.

Step 05 · 06
Import to Security Hub

BatchImportFindings API pushes up to 100 findings per batch. Findings appear in the Security Hub console within seconds.

Data Transformation

Rapid7 Format → ASFF

Lambda translates Rapid7's proprietary JSON format into the AWS Security Finding Format, normalizing severity and enriching findings with CVE and CVSS context.

Input · Rapid7 Format
{
  "id": "wordpress-plugin-cve-2024-13555",
  "title": "WordPress Plugin: CVE-2024-13555: CSRF",
  "severity": "severe",
  "cvss_v3_score": 5.3,
  "cves": "CVE-2024-13555",
  "description": "Vulnerability description...",
  "published": "2025-02-17T00:00:00Z"
}
Output · ASFF Format
{
  "SchemaVersion": "2018-10-08",
  "Id": "us-east-1/.../rapid7/wordpress-...",
  "GeneratorId": "rapid7-insightvm-integration",
  "Types": ["Software and Configuration Checks/..."],
  "Severity": {
    "Label": "HIGH",
    "Normalized": 70,
    "Product": 5.3
  },
  "Vulnerabilities": [{
    "Id": "CVE-2024-13555",
    "Cvss": [{ "BaseScore": 5.3 }]
  }]
}

Technical Implementation

Components & Configuration

Component Technology Purpose Key Detail
Rapid7 InsightVM SaaS API Source of vulnerability data REST API · JSON response
AWS Lambda Python 3.13 Data transformation & orchestration 512 MB · 15 min timeout
AWS Security Hub AWS Service Centralized findings dashboard Enabled via CLI (not GUI)
EventBridge Rule AWS Service Scheduled execution rate(1 hour) · Scheduled Standard
IAM Role AWS Service Lambda permissions (least privilege) BatchImportFindings + BatchUpdateFindings only
CloudWatch Logs AWS Service Operational logging & monitoring Retention: Never Expire
Lambda Function Details
  • Name: Rapid7ToSecurityHubSync
  • Runtime: Python 3.13 · 512 MB memory
  • Timeout: 15 minutes
  • Handler: lambda_function.lambda_handler
  • Environment vars: AWS_ACCOUNT_ID, RAPID7_API_KEY, RAPID7_REGION, PAGE_SIZE
Key Lambda Functions
lambda_handler() fetch_rapid7_vulnerabilities() transform_to_asff() map_severity() send_to_security_hub()
IAM Least Privilege Policy
  • Role: Rapid7SecurityHubIntegrationRole
  • Action: securityhub:BatchImportFindings
  • Action: securityhub:BatchUpdateFindings
  • Resource: * (Security Hub scope)
  • Follows AWS least-privilege security best practices
EventBridge Rule
  • Rule: rapid7-cspm-scheduler
  • Schedule: rate(1 hour)
  • Target: Lambda rapid7-securityhub-integration
  • Type: Scheduled Standard
  • Status: Enabled · default event bus

Findings Distribution

Severity Mapping & Results

CRITICAL 2 findings · 20%
HIGH 8 findings · 80%
Severity Mapping Logic
Rapid7 critical → AWS CRITICAL
Rapid7 severe → AWS HIGH
Rapid7 moderate → AWS MEDIUM
Rapid7 low → AWS LOW
⚠ Duplicate Finding Note

Security Hub currently shows 20 findings instead of 10 unique vulnerabilities. Finding IDs changed during the testing phase, causing Security Hub to create new findings instead of updating existing ones.

ℹ Root Cause

When finding IDs change, Security Hub treats them as new findings rather than updates to existing records. This is a platform behavior — not a code defect.

✓ Impact Assessment

Cosmetic only — does not affect functionality or data accuracy. When original vulnerabilities are remediated in Rapid7, the redundant findings will be updated accordingly through the next sync cycle.

Deployment

Deployment Checklist

Reproducible steps for deploying this integration to any new AWS environment or region.

01 · Pre-Deployment
AWS account accessible with admin privileges
Target region identified
Rapid7 InsightVM API key generated
Rapid7 API connectivity tested
02 · AWS Services Setup
Security Hub enabled via CLI in target region
IAM role created with least-privilege permissions
Lambda function deployed with IAM role attached
Environment variables configured in Lambda
03 · Automation Setup
EventBridge rule created (rapid7-cspm-scheduler)
Schedule set to rate(1 hour)
Lambda function set as target
Rule enabled and status confirmed
04 · Testing & Validation
Lambda function tested manually (test event)
Test execution completes without errors
Findings appear in Security Hub console
Severity levels and CVE information validated
Automated execution confirmed via scheduled trigger
Linkedin

© 2026 Emmanuel Chalokwu. All rights reserved.