AWS Security Hub Guidebook - Unwinding security concerns

Well, if you have been using or maintaining AWS Account or Account(s) you must have come across the necessity of following many different practices in order to assure standards and compliance. But all security & compliance checks is made possible by AWS under a single window called "AWS Security Hub"

AWS Security Hub is simple, easy to use service, which can be activated just by clicking on "Enable" button from the Security Hub console. after on signing in into AWS. Primary advantage of using AWS Security Hub is that, rather than making many stops at different services as used by your architecture & later gather findings, and finally prioritize the "to be actioned" items, it is much simpler to have them all(the findings across services) listed under one console(AWS Security Hub)

To begin with, let us understand in Security Hub service with these simple lines

1. AWS Security Hub is cloud security posture management system
2. Once enabled, works automatically by performing automated best practices checks against AWS Services & Partner products, as well
3. Basically, AWS Foundational Security best practices are considered along with compliance frameworks
4. All findings consolidated in one single view in the management console based on score, also prioritized
5. Findings under one view for all linked regions rather than viewing findings individually with reach region

Let us start understanding all sections of AWS Security Hub #### Part 1 - Summary ####

Summary, gives a full view of findings against compliance(s) with a score along with the "Resources" list with most failed security checks

• In the above example, I have only enabled "CIS AWS Foundational Benchmark v1.2.0" and in line to this, the resources in that AWS account have 31-Passed, 9-failed and has been scored to 78% based on the assessment findings
• If required, latest version of CIS Benchmarks, can also be activated by clicking on "Enable" button. Likewise, for PCI DSS, Security Best Practices etc

Part 2 - Security Standards ####

• "Security Standards" feature gives a complete view of the "Foundations or Compliance" that has been opted in. For example, "CIS AWS Foundations Benchmark v1.2.0"
• On the top-right corner, do observe that, the findings listed here are gathered and being reported from across regions that are linked to be reported, in this AWS account
• Any compliance opted in already can be disabled by clicking on "Disable"
• Findings can be viewed in detailed view too
• Other "Security Standards" can be chosen by clicking on "Enable" button after which, the findings against those compliance as well, will be reported

Part 3 - Insights

• All areas that needs attention, intervention are monitored and reported as "Insights"
• Findings "AWS Managed" are reported and can not be modified
• Custom insights can be created and maintained as required using "Create Insight" feature
• In the below view, you could see all insights being listed, for all regions linked, against pre-defined categories with the count

• Insights are categorized against 35 heads, being reported against a 90-day trend
• Bottom right of each finding is the count of resources that have been identified for that category of insight

Part 4 - Findings

• Any security check or issue is a finding, that is grouped into Low, Medium, High & Critical
• Since regions are linked in this account, we are able to see the listings across regions
• Overall, findings are listed with Severity, region, state of the finding, Title Description, Resource(s) which have failed a particular finding along with compliance status

• To understand a few items, look under "Critical" section where we have "MFA to be enabled for Root Account" and under "Medium" VPC Log enablement is identified.
• we need action on these findings to have the account & resources secured

Part 5 - Integrations

Integrations are to receive more findings from AWS Services or from third party tools based on the requirements.

• In our use case of AWS account, we have accepted "Amazon Macie" findings as we are in need of protecting sensitive data. "Status" is "Accepting Findings" which will then start reporting any "Amazon Macie" related violations as "Findings"
• Other IoT services are not enabled as they aren't required for the use case at the moment

Part 6 - Settings

Now, for the final part, let us explore about giving the settings( our findings preferences). Ideally, it should have been the section on top, but since it was quite simple to setup, I have placed at the end of this post

• To start with, Settings -> Accounts lists the "Administrator" account that is controlling this member account or other accounts are listed here, along with the date this account was "Invited" & "Accept" status too

• Next, most vital section where the regions are linked and reported under one single view is set up

1. Aggregation Region where all the findings are reported is shown
2. Feature to automatically link regions that could be added/used later is set to "ON". So this option ensures that any time, team or architecture decides to use a new region, then that new regions' checks as well be monitored and reported automatically

• Up next, creation of "Custom Actions" just with tile, description & unique id that can be integrated with AWS Cloud watch events can be set up here

• Coming to the "Usage" tab, is the list of services that are being identified, reported for items identified and cost involved on reporting. In this use case,

1. This account has many findings against "Security Standards" with highest no. of line times
2. Also the cost of these findings to this account until 22nd of 31 day period is also clearly given. By this way, we have our cost monitoring and will ultimately understand the importance of actioning the line items reported

• Finally, the "General" section, which is showing the common settings of "Service Permissions, Resource Policies & Disablement of Security Hub"

Whooo !!! this is close view of one use case, with a sandbox account environments identified to have many interesting findings. Hope you had a wider knowledge now on AWS Security Hub usage & integration

Happy Learning !!!