One of the challenges every security and audit professional has is collecting information from multiple sources, and then making sense of that information to determine if there is an action to take. AWS is not different.
You can also listen to this article by clicking this link.
There is AWS Guard Duty, which continuously monitors the VPC flow logs, CloudTrail logs and DNS logs for malicious activity. Guard Duty is intelligent threat detection which can be combined with Lambda functions to perform automated actions.
Next is AWS Inspector, which is an automated security assessment service which can assess applications for exposures, vulnerabilities or non-compliance with best practices.
AWS Macie uses machine learning to discover and protect sensitive data within your account. And, let’s not forget AWS Config, which is constantly scanning for changes in your resources, evaluating those changes and providing an audit trail of the changes.
Finally, the really low level services like VPC Flow logs, and CloudTrail.
The goal of this article is not to discuss each of those services in detail, but to discuss AWS Security Hub. Because Security Hub is still in Preview mode, there is limited documentation available.
What is AWS Security Hub
AWS Security Hub was announced as a new service offering at the 2018 AWS re:Invent conference, and is currently in “Preview” mode. Organizations can sign up for the preview and experiment with the service at no cost. The ancillary services which are used by Security Hub are still charged at their associated price structure.
AWS Security Hub collects data from Guard Duty, Inspector, Config, Macie, and other connected partner services to provide a single view of the resources in your account and their associated compliance with the configured rules.
As AWS Security Hub receives data from the configured services, which is presented as a consolidated dashboard for security and operations personnel to respond to. According to the AWS Security Hub site, a major benefit is having a single place to see a consolidated view of the results from the configured services. While the dashboards for the other tools, like AWS Config, may provide additional detail, AWS Security Hub provides insights across all of the tools and all of your infrastructure and managed services.
AWS Security Hub is also capable of running continuous compliance checks, so you know very quickly when some part of your infrastructure is no longer in compliance with one or more of your configured benchmarks.
Setting up Security Hub
Accessing the AWS Security Hub webpage while In Preview mode, allows you to enable Security Hub for your account. If you are already using AWS Guard Duty, AWS Config and AWS Inspector, Security Hub will immediately start getting information from those services.
In the Settings view, you can add other accounts you want to collect information for, add custom actions, add providers, view your Security Hub usage, and other information about Security Hub.
Security Hub allows you to not only monitor the account you have configured Security Hub in, but also other “member accounts”. Note, the other accounts must first accept the monitoring request, and also have the associated services configured.
When an insight is detected, such as an out of compliance configuration, the custom action can send an alert to CloudWatch for action from another service, such as a Lambda function.
The providers section allows you to add other security providers to the Security Hub.
There are a wide array of providers already available.
The usage section gives you a view of the usage of the services configured in Security Hub.
In this example, there are 19 findings processed by AWS Config in the current billing period.
The General settings allow you to see the service permissions, resource policies and disable Security Hub.
The Security Hub Dashboard
Here is a sample Security Hub summary dashboard.
Each of the items in the dashboard are clickable, allowing you to view the details for each of the items. For example, clicking on the “AWS resources with the most findings” item, eventually leading you to a list of the specific items.
Clicking on the title for the insight displays the details.
The insight allows you to see the affected resource(s), and how to correct the issue, which seems to point the user to the Standards tab for details.
Currently, AWS Security Hub only has what is called the “AWS CIS Standards”, which are 43 tests executed to verify compliance with the AWS CIS Benchmark. This benchmark is published by the Center for Internet Security.
It is not clear from the available documentation if it will be possible to add your own standards.
AWS Security Hub has the ability to collect security data and configuration information from other AWS and partner services, with a single place for security and operations teams to see the overall status of the monitored accounts.
There is not enough documentation available to see how extensible Security Hub is, such as adding additional corporate standards. While Preview mode is underway, we can hope the available documentation will be expanded so users can get a better understanding of its capabilities and how to use it in their organization.
UPDATE April 9, 2019: An AWS Online Tech Talk on remediating Guard Duty and Security Hub findings is available on YouTube.
Copyright 2018, Chris Hare