Cloud Security Integration

Rapid7 InsightVM
→ AWS Security Hub

A serverless, API-driven integration that synchronizes vulnerability findings from Rapid7 InsightVM into AWS Security Hub — enabling centralized SOC visibility with zero infrastructure changes.

Integration Type API-Based · Serverless

Update Frequency Every 1 Hour

Runtime Python 3.13 · Lambda

Est. Cost ~$0.51 / month

Scroll

Unique CVEs Imported

2 Critical · 8 High

1hr

Sync Frequency

EventBridge scheduled

Infrastructure Changes

Fully agentless

ASFF

Output Format

AWS Security Finding Format

Project Overview

Centralized Vulnerability Visibility

This integration bridges Rapid7 InsightVM and AWS Security Hub, allowing SOC analysts to view vulnerability findings alongside GuardDuty threats and AWS Config compliance issues — all in a single unified dashboard.

The solution is fully serverless and agentless. An AWS Lambda function (Python 3.13) fetches vulnerability data from the Rapid7 API, transforms it into the AWS Security Finding Format (ASFF), and pushes it into Security Hub via the BatchImportFindings API.

Security Hub was deliberately enabled via CLI (not the console GUI) to bypass the automatic AWS Config enablement — avoiding unnecessary cost while retaining all the finding aggregation capabilities needed for this integration.

Business Value

Centralized Visibility

All security findings in one location

No Infrastructure Changes

Agentless, serverless integration

Automated Updates

Vulnerability data refreshes every hour

Cost Effective

Minimal AWS costs — Lambda + Security Hub only

System Architecture

How It Works

A simple, three-component serverless pipeline. EventBridge schedules the sync, Lambda orchestrates the data flow, and Security Hub aggregates the findings.

Integration Flow — Step by Step

Step 01

EventBridge Trigger

EventBridge rule fires every hour — no manual intervention, continuous synchronization.

Step 02 · 03

Rapid7 API Call

Lambda authenticates with Rapid7 API key and fetches the latest vulnerability data in JSON (100 records, 10 unique CVEs).

Step 04

Transform to ASFF

Lambda deduplicates records and maps Rapid7 format → AWS Security Finding Format, including CVSS scores and severity normalization.

Step 05 · 06

Import to Security Hub

BatchImportFindings API pushes up to 100 findings per batch. Findings appear in the Security Hub console within seconds.

Data Transformation

Rapid7 Format → ASFF

Lambda translates Rapid7's proprietary JSON format into the AWS Security Finding Format, normalizing severity and enriching findings with CVE and CVSS context.

Input · Rapid7 Format

{
  "id": "wordpress-plugin-cve-2024-13555",
  "title": "WordPress Plugin: CVE-2024-13555: CSRF",
  "severity": "severe",
  "cvss_v3_score": 5.3,
  "cves": "CVE-2024-13555",
  "description": "Vulnerability description...",
  "published": "2025-02-17T00:00:00Z"
}
        

Output · ASFF Format

{
  "SchemaVersion": "2018-10-08",
  "Id": "us-east-1/.../rapid7/wordpress-...",
  "GeneratorId": "rapid7-insightvm-integration",
  "Types": ["Software and Configuration Checks/..."],
  "Severity": {
    "Label": "HIGH",
    "Normalized": 70,
    "Product": 5.3
  },
  "Vulnerabilities": [{
    "Id": "CVE-2024-13555",
    "Cvss": [{ "BaseScore": 5.3 }]
  }]
}
        

Technical Implementation

Components & Configuration

Component	Technology	Purpose	Key Detail
Rapid7 InsightVM	SaaS API	Source of vulnerability data	REST API · JSON response
AWS Lambda	Python 3.13	Data transformation & orchestration	512 MB · 15 min timeout
AWS Security Hub	AWS Service	Centralized findings dashboard	Enabled via CLI (not GUI)
EventBridge Rule	AWS Service	Scheduled execution	rate(1 hour) · Scheduled Standard
IAM Role	AWS Service	Lambda permissions (least privilege)	BatchImportFindings + BatchUpdateFindings only
CloudWatch Logs	AWS Service	Operational logging & monitoring	Retention: Never Expire

Lambda Function Details

Name: Rapid7ToSecurityHubSync
Runtime: Python 3.13 · 512 MB memory
Timeout: 15 minutes
Handler: lambda_function.lambda_handler
Environment vars: AWS_ACCOUNT_ID, RAPID7_API_KEY, RAPID7_REGION, PAGE_SIZE

Key Lambda Functions

lambda_handler() fetch_rapid7_vulnerabilities() transform_to_asff() map_severity() send_to_security_hub()

IAM Least Privilege Policy

Role: Rapid7SecurityHubIntegrationRole
Action: securityhub:BatchImportFindings
Action: securityhub:BatchUpdateFindings
Resource: * (Security Hub scope)
Follows AWS least-privilege security best practices

EventBridge Rule

Rule: rapid7-cspm-scheduler
Schedule: rate(1 hour)
Target: Lambda rapid7-securityhub-integration
Type: Scheduled Standard
Status: Enabled · default event bus

Findings Distribution

Severity Mapping & Results

CRITICAL 2 findings · 20%

HIGH 8 findings · 80%

Severity Mapping Logic

Rapid7 critical → AWS CRITICAL
Rapid7 severe → AWS HIGH
Rapid7 moderate → AWS MEDIUM
Rapid7 low → AWS LOW

⚠ Duplicate Finding Note

Security Hub currently shows 20 findings instead of 10 unique vulnerabilities. Finding IDs changed during the testing phase, causing Security Hub to create new findings instead of updating existing ones.

ℹ Root Cause

When finding IDs change, Security Hub treats them as new findings rather than updates to existing records. This is a platform behavior — not a code defect.

✓ Impact Assessment

Cosmetic only — does not affect functionality or data accuracy. When original vulnerabilities are remediated in Rapid7, the redundant findings will be updated accordingly through the next sync cycle.

Deployment

Deployment Checklist

Reproducible steps for deploying this integration to any new AWS environment or region.

01 · Pre-Deployment

✓AWS account accessible with admin privileges

✓Target region identified

✓Rapid7 InsightVM API key generated

✓Rapid7 API connectivity tested

02 · AWS Services Setup

✓Security Hub enabled via CLI in target region

✓IAM role created with least-privilege permissions

✓Lambda function deployed with IAM role attached

✓Environment variables configured in Lambda

03 · Automation Setup

✓EventBridge rule created (rapid7-cspm-scheduler)

✓Schedule set to rate(1 hour)

✓Lambda function set as target

✓Rule enabled and status confirmed

04 · Testing & Validation

✓Lambda function tested manually (test event)

✓Test execution completes without errors

✓Findings appear in Security Hub console

✓Severity levels and CVE information validated

✓Automated execution confirmed via scheduled trigger

Rapid7 InsightVM→ AWS Security Hub