AWS Security Hub overview

AWS Security Hub gives you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts, refer to this Amazon documentation to understand more about the service.

From my general understanding and experience and what I have gathered from different sources of Amazon documentation, here is main points to remember.

Pre-requisite : Enable AWS Config

Understanding the terminology and features

  • Findings : Security Hub receives findings from the following sources.
  • Security Hub supports integrations with following AWS services
    • AWS Firewall Manager
    • IAM Access Analyzer
    • Amazon GuardDuty
    • Amazon Inspector
    • Amazon Macie
  • Security Hub also supports an integration with Amazon Detective.
  • Insights : An AWS Security Hub insight is a collection of related findings
    • Security Hub offers several built-in managed (default) insights. You cannot modify or delete managed insights.
    • We can create custom insights that are unique to our AWS environment and usage
  • Security Standards  :
    • AWS Security Hub consumes, aggregates, and analyzes security findings from various supported AWS and third-party products
    • Security Hub provides controls for the following standards.
      • CIS AWS Foundations
      • Payment Card Industry Data Security Standard (PCI DSS)
      • AWS Foundational Security Best Practices
    • Console displays a list of findings generated from a selected control – for example CIS Benchmark
    • This findings can be Resolved, Suppressed or a Cloud Watch alert can be created for notifications
    • For each security standard findings which is in “Failed” Status, AWS offers Remediation instructions from the console. Select the link and follow instructions.
  • Custom Actions :  Helps to send selected insights and findings to Amazon CloudWatch Events by creating a custom action
    • Security Hub automatically sends all findings to CloudWatch Events as Security Hub Findings – Imported events
  • Custom Insights : We can create custom insights to track issues and resources that are specific to your environment. – a collection of custom findings based on selected Product (GuardDuty, Macie, Etc, ) and selected Filters
  • Integrations : Accept findings from other AWS services ( ex: Firewall Manager)  or from third-party integrations (ex: CrowdStrike). You can also send findings from Security Hub to some integrations
  • Multiple account consolidation : SecurityHub findings from member accounts can be consolidated into a master / shared service account using account invitation method

Creating Cloud Watch rule to trigger an SNS topic ( email ) when here is a CRITICAL finding.

Use below event pattern while creating a CW event

{
  "source": [
    "aws.securityhub"
  ],
  "detail-type": [
    "Security Hub Findings - Imported"
  ],
  "detail": {
    "findings": {
      "severity": {
        "Label": [
          "CRITICAL"
        ]
      }
    }
  }
}
0

Leave a Reply

Your email address will not be published. Required fields are marked *