A 5 Minute Overview of AWS Security Hub

One of the challenges every security and audit professional has is collecting information from multiple sources, and then making sense of that information to determine if there is an action to take. AWS is not different.

You can also listen to this article by clicking this link.

There is AWS Guard Duty, which continuously monitors the VPC flow logs, CloudTrail logs and DNS logs for malicious activity. Guard Duty is intelligent threat detection which can be combined with Lambda functions to perform automated actions.

Next is AWS Inspector, which is an automated security assessment service which can assess applications for exposures, vulnerabilities or non-compliance with best practices.

AWS Macie uses machine learning to discover and protect sensitive data within your account. And, let’s not forget AWS Config, which is constantly scanning for changes in your resources, evaluating those changes and providing an audit trail of the changes.

Finally, the really low level services like VPC Flow logs, and CloudTrail.

The goal of this article is not to discuss each of those services in detail, but to discuss AWS Security Hub. Because Security Hub is still in Preview mode, there is limited documentation available.

What is AWS Security Hub

AWS Security Hub was announced as a new service offering at the 2018 AWS re:Invent conference, and is currently in “Preview” mode. Organizations can sign up for the preview and experiment with the service at no cost. The ancillary services which are used by Security Hub are still charged at their associated price structure.

AWS Security Hub collects data from Guard Duty, Inspector, Config, Macie, and other connected partner services to provide a single view of the resources in your account and their associated compliance with the configured rules.

As AWS Security Hub receives data from the configured services, which is presented as a consolidated dashboard for security and operations personnel to respond to. According to the AWS Security Hub site, a major benefit is having a single place to see a consolidated view of the results from the configured services. While the dashboards for the other tools, like AWS Config, may provide additional detail, AWS Security Hub provides insights across all of the tools and all of your infrastructure and managed services.

AWS Security Hub is also capable of running continuous compliance checks, so you know very quickly when some part of your infrastructure is no longer in compliance with one or more of your configured benchmarks.

Setting up Security Hub

Accessing the AWS Security Hub webpage while In Preview mode, allows you to enable Security Hub for your account. If you are already using AWS Guard Duty, AWS Config and AWS Inspector, Security Hub will immediately start getting information from those services.

In the Settings view, you can add other accounts you want to collect information for, add custom actions, add providers, view your Security Hub usage, and other information about Security Hub.

Accounts

Security Hub allows you to not only monitor the account you have configured Security Hub in, but also other “member accounts”. Note, the other accounts must first accept the monitoring request, and also have the associated services configured.

Custom Actions

When an insight is detected, such as an out of compliance configuration, the custom action can send an alert to CloudWatch for action from another service, such as a Lambda function.

Providers

The providers section allows you to add other security providers to the Security Hub.

There are a wide array of providers already available.

Usage

The usage section gives you a view of the usage of the services configured in Security Hub.

In this example, there are 19 findings processed by AWS Config in the current billing period.

General

The General settings allow you to see the service permissions, resource policies and disable Security Hub.

The Security Hub Dashboard

Here is a sample Security Hub summary dashboard.

Each of the items in the dashboard are clickable, allowing you to view the details for each of the items. For example, clicking on the “AWS resources with the most findings” item, eventually leading you to a list of the specific items.

Clicking on the title for the insight displays the details.

The insight allows you to see the affected resource(s), and how to correct the issue, which seems to point the user to the Standards tab for details.

Standards

Currently, AWS Security Hub only has what is called the “AWS CIS Standards”, which are 43 tests executed to verify compliance with the AWS CIS Benchmark. This benchmark is published by the Center for Internet Security.

It is not clear from the available documentation if it will be possible to add your own standards.

Conclusion

AWS Security Hub has the ability to collect security data and configuration information from other AWS and partner services, with a single place for security and operations teams to see the overall status of the monitored accounts.

There is not enough documentation available to see how extensible Security Hub is, such as adding additional corporate standards. While Preview mode is underway, we can hope the available documentation will be expanded so users can get a better understanding of its capabilities and how to use it in their organization.

UPDATE April 9, 2019: An AWS Online Tech Talk on remediating Guard Duty and Security Hub findings is available on YouTube.

References

AWS Security Hub

AWS Security Hub User Guide

AWS Guard Duty

AWS Inspector

AWS Macie

AWS Config

AWS VPC Flow Logs

AWS CloudTrail

CIS AWS Foundations Announcement

CIS AWS Foundations Benchmark

Copyright 2018, Chris Hare

Chris is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store