AWS Security Hub gives you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts, refer to this Amazon documentation to understand more about the service.
From my general understanding and experience and what I have gathered from different sources of Amazon documentation, here is main points to remember.
Pre-requisite : Enable AWS Config
Understanding the terminology and features
- Findings : Security Hub receives findings from the following sources.
- Security Hub supports integrations with following AWS services
- AWS Firewall Manager
- IAM Access Analyzer
- Amazon GuardDuty
- Amazon Inspector
- Amazon Macie
- Security Hub also supports an integration with Amazon Detective.
- Insights : An AWS Security Hub insight is a collection of related findings
- Security Hub offers several built-in managed (default) insights. You cannot modify or delete managed insights.
- We can create custom insights that are unique to our AWS environment and usage
- Security Standards :
- AWS Security Hub consumes, aggregates, and analyzes security findings from various supported AWS and third-party products
- Security Hub provides controls for the following standards.
- CIS AWS Foundations
- Payment Card Industry Data Security Standard (PCI DSS)
- AWS Foundational Security Best Practices
- Console displays a list of findings generated from a selected control – for example CIS Benchmark
- This findings can be Resolved, Suppressed or a Cloud Watch alert can be created for notifications
- For each security standard findings which is in “Failed” Status, AWS offers Remediation instructions from the console. Select the link and follow instructions.
- Custom Actions : Helps to send selected insights and findings to Amazon CloudWatch Events by creating a custom action
- Security Hub automatically sends all findings to CloudWatch Events as Security Hub Findings – Imported events
- Custom Insights : We can create custom insights to track issues and resources that are specific to your environment. – a collection of custom findings based on selected Product (GuardDuty, Macie, Etc, ) and selected Filters
- Integrations : Accept findings from other AWS services ( ex: Firewall Manager) or from third-party integrations (ex: CrowdStrike). You can also send findings from Security Hub to some integrations
- Multiple account consolidation : SecurityHub findings from member accounts can be consolidated into a master / shared service account using account invitation method
Creating Cloud Watch rule to trigger an SNS topic ( email ) when here is a CRITICAL finding.
Use below event pattern while creating a CW event
{
"source": [
"aws.securityhub"
],
"detail-type": [
"Security Hub Findings - Imported"
],
"detail": {
"findings": {
"severity": {
"Label": [
"CRITICAL"
]
}
}
}
}
0