Improve your Security using AWS Security hub
AWS Security Hub Findings
- Ensure that Amazon Security Hub findings are analyzed and resolved.
AWS Security Hub Insights
- Ensure that Amazon Security Hub insights are regularly reviewed (informational).
Detect AWS Security Hub Configuration Changes
- Security Hub service configuration changes have been detected within your Amazon Web Services account.
Review Enabled Security Hub Standards
- Ensure that enabled Amazon Security Hub standards are reviewed (informational).
Whether your cloud exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Conformity offers full visibility into your overall security and governance posture across various standards and frameworks.
How we can perform actions using AWS CLI
01. Run get-findings command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Security Hub-aggregated findings available within the selected region:
aws securityhub get-findings
--region us-east-1
--query 'Findings[*].Id'02. The command output should return an array with the requested ARNs:
[
"arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
"arn:aws:inspector:us-east-1:123456789012:target/0-aabbccdd/template/0-1234abcd/run/0-abcdabcd/finding/0-aaaabbbb",..."arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/12341234-abcd-1234-abcd-123412341234",
"arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/1234abcd-1234-abcd-1234-1234abcd1234"
]
03. Create a JSON document required for get-findings command filtering, as shown in the example below, and save it in a file named finding-id.json. Make sure that you replace the ARN of the Security Hub finding listed for the Value attribute with the ARN of the finding that you want to examine:
{
"Id": [
{
"Value": "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
"Comparison": "EQUALS"
}
]
}04.Execute get-findings command (OSX/Linux/UNIX) using the ARN of the finding that you want to examine as identifier, listed within finding-id.json document, to describe the selected Amazon Security Hub finding:
aws securityhub get-findings
--region us-east-1
--filters file://finding-id.json05. The command output should return the configuration metadata for selected security findings:
{
"Findings": [
{
"LastObservedAt": "2018-12-10T08:54:03Z",
"FirstObservedAt": "2018-12-10T08:54:03Z",
"GeneratorId": "arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd",
"Severity": {
"Product": 9,
"Normalized": 45
},
"Title": "On instance i-abcdabcd123456789, TCP port 21 which is associated with 'FTP' is reachable from the Internet.",
"Resources": [
{
"Region": "us-east-1",
"Partition": "aws",
"Type": "AwsEc2Instance",
"Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-abcdabcd123456789",
"Details": {
"AwsEc2Instance": {
"SubnetId": "subnet-abcd1234",
"VpcId": "vpc-12345678",
"ImageId": "ami-012345678aaaabbbb"
}
}
}
],
"WorkflowState": "NEW",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector",
"Confidence": 10,
"ProductFields": {
"attributes:7/key": "SECURITY_GROUP",
"attributes:9/value": "acl-1234abcd",
"aws/securityhub/ProductName": "Inspector",
"attributes:7/value": "sg-012345678abcdabcd",
"attributes:4/value": "TCP",
"attributes:1/key": "RULE_TYPE",
"serviceAttributes/schemaVersion": "1",
"attributes:5/value": "igw-abcd1234",
"serviceAttributes/rulesPackageArn": "arn:aws:inspector:us-east-1:123456789012:rulespackage/0-abcdabcd",
"attributes:6/key": "VPC",
"attributes:4/key": "PROTOCOL",
"attributes:3/value": "FTP",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/inspector/arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
"attributes:6/value": "vpc-12345678",
"attributes:9/key": "ACL",
"attributes:0/value": "eni-089c2f505015c6291",
"aws/securityhub/SeverityLabel": "MEDIUM",
"attributes:10/value": "i-0abcd1234abcd1234",
"attributes:3/key": "PORT_GROUP_NAME",
"attributes:8/key": "REACHABILITY_TYPE",
"attributes:2/value": "21",
"attributes:5/key": "IGW",
"attributes:2/key": "PORT",
"attributes:1/value": "RecognizedPortNoAgent",
"attributes:8/value": "Internet",
"serviceAttributes/assessmentRunArn": "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd",
"attributes:10/key": "INSTANCE_ID",
"attributes:0/key": "ENI",
"aws/securityhub/CompanyName": "AWS"
},
"RecordState": "ACTIVE",
"CreatedAt": "2018-12-10T08:54:03Z",
"UpdatedAt": "2018-12-10T08:54:03Z",
"Remediation": {
"Recommendation": {
"Text": "You can edit the Security Group sg-abcdabcd123456789 to remove access from the Internet on port 21."
}
},
"Description": "On this instance, TCP port 21, which is associated with FTP, is reachable from the Internet. You can install the Inspector agent on this instance and re-run the assessment to check for any process listening on this port. The instance i-abcdabcd123456789 is located in VPC vpc-12345678 and has an attached ENI eni-0abcd1234abcd1234 which uses network ACL acl-1234abcd. The port is reachable from the Internet through Security Group sg-012345678abcdabcd and IGW igw-abcd1234.",
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
"Types": [
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability - Recognized port reachable from internet"
],
"AwsAccountId": "123456789012"
}
]
}06. Analyze the metadata returned for the selected security finding by checking the following output attributes:
- “Title” — the name of the finding, e.g. “On instance i-abcdabcd123456789, TCP port 21 which is associated with ‘FTP’ is reachable from the Internet.”
- “Description” — a detailed description of the security finding which includes the AWS resources affected by the security risk e.g. “On this instance, TCP port 21, which is associated with FTP, is reachable from the Internet. You can install the Inspector agent on this instance and re-run the assessment to check for any process listening on this port. The instance i-abcdabcd123456789 is located in VPC vpc-12345678 and has an attached ENI eni-0abcd1234abcd1234 which uses network ACL acl-1234abcd. The port is reachable from the Internet through Security Group sg-012345678abcdabcd and IGW igw-abcd1234.”
- “AwsAccountId” — the ID number of the AWS account where the potential security issue described by the selected finding was found, e.g. “123456789012”.
- “ProductFields.aws/securityhub/SeverityLabel” — the severity label associated with the finding, e.g. “MEDIUM”. Possible values are “HIGH”, “MEDIUM”, “LOW” and “INFORMATIONAL”.
- “ProductFields.aws/securityhub/ProductName” — the service/solution that generates the finding, e.g. “Inspector” (AWS Inspector service).
- “Compliance.Status” — describes the result of the compliance check. Valid values are: “PASSED” (all resources that were checked were found in compliance with the check), “WARNING” (There is configuration information that needs to be supplied that is lacking), “FAILED” (all resources that were checked failed the check) and “NOT_AVAILABLE” (the check could not be performed due to a service outage, an API error, etc).
- “Resources”– an array that contains the configuration attributes of the resources to which the selected finding refers, e.g. “Type”: “AwsEc2Instance”, “Id”: “arn:aws:ec2:us-east-1:123456789012:instance/i-abcdabcd123456789”, “Region”: “us-east-1”, etc.
- “RecordState” — the record state of the security finding. Valid values are “ACTIVE” and “ARCHIVED”.
- “Remediation.Recommendation” — provides a suggestion on how to remediate the issue identified by the selected finding, e.g. “You can edit the Security Group sg-abcdabcd123456789 to remove access from the Internet on port 21”.
07. Based on the metadata returned at the previous step you can analyze the security risk described by the finding and implement the recommended fix.
08. Repeat steps no. 3–7 to check and analyze other Amazon Security Hub findings found in the selected region.
09. Change the AWS region by updating the — region command parameter value and repeat the entire audit process for other regions.
Using AWS CLI
01. Copy the ID of the EC2 security group described within the selected finding remediation (see Audit section part II, step. no. 5, “Remediation.Recommendation” attribute value to identify the right resource ID).
02. Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the security group ID copied at the previous step as identifier, to delete the ingress rules that allow unrestricted inbound access (i.e. 0.0.0.0/0) on port 21 (FTP), as described by the selected Amazon Security Hub finding. The following command example removes an inbound rule that allows public access on TCP port 21 (FTP), from an EC2 security group identified by the ID “sg-abcdabcd123456789” (the command does not produce an output):
aws ec2 revoke-security-group-ingress
--region us-east-1
--group-id sg-abcdabcd123456789
--protocol tcp
--port 21
--cidr 0.0.0.0/0Using AWS Console
01. Sign in to AWS Management Console.
02. Navigate to Amazon Security Hub dashboard at https://console.aws.amazon.com/securityhub/.
03. In the left navigation panel, choose Insights to access the Security Hub insights listing page.
04. Choose the Security Hub insight (managed or custom) that you want to examine and check the results number available for the selected insight:
If the number of results is zero (i.e. 0 current results), there are no related Security Hub findings collected by the Security Hub providers for the selected insight. If the number of results displayed for the Security Hub insight is different than zero, click on its title (link) to access the entry details.
05. On the selected insight page, click on the ARN (e.g. arn:aws:ec2:us-east-1:123456789012:instance/i-01234abcd1234abcd) of the AWS resource associated with the Security Hub insight, to access the related security findings detected for the resource.
06. Once the security findings collected by the selected insight are listed, follow the steps outlined in this conformity rule to evaluate each finding for remediation.
07. Repeat steps no. 4–6 to review other Amazon Security Hub insights available in the current region.
08. Change the AWS region from the navigation bar and repeat the entire audit process for other regions.
Using AWS CLI
01. Copy the ID of the AWS resource (i.e. EC2 instance) associated with the Security Hub insight available within the ARN returned as value for the “GroupByAttributeValue” attribute (see Audit section part II, step. no. 4 to identify the right instance ID).
02. Run describe-instances command (OSX/Linux/UNIX) using the EC2 resource ID copied at the previous step to describe the configuration attributes of the EC2 instance targeted by the Security Hub insight findings:
aws ec2 describe-instances
--region us-east-1
--instance-ids i-01234abcd1234abcd03. The command output should return the requested EC2 instance configuration details such as instance Public/Elastic IP, SSH key name, etc:
{
"Reservations": [
{
"OwnerId": "123456789012",
"ReservationId": "r-a1234abcd1234abcd",
"Instances": [
{
"Monitoring": {
"State": "disabled"
},
"State": {
"Code": 16,
"Name": "running"
},
"EbsOptimized": false,
"LaunchTime": "2018-12-10T05:08:56.000Z",
"PublicIpAddress": "10.0.0.1",
"PrivateIpAddress": "172.31.14.25",
"InstanceId": "i-01234abcd1234abcd",
"EnaSupport": true,
"PrivateDnsName": "ip-172-31-14-25.ec2.internal", ... "KeyName": "ssh-access-key",
"SecurityGroups": [
{
"GroupName": "cc-web-security-group",
"GroupId": "sg-12341234"
}
],
"SubnetId": "subnet-abcdabcd",
"InstanceType": "c4.xlarge",
"SourceDestCheck": true,
"Placement": {
"Tenancy": "default",
"GroupName": "",
"AvailabilityZone": "us-east-1a"
},
"Hypervisor": "xen",
"Architecture": "x86_64",
"RootDeviceType": "ebs",
"RootDeviceName": "/dev/xvda",
"VirtualizationType": "hvm",
"AmiLaunchIndex": 0
}
]
}
]
}
04. Use the instance configuration details returned at the previous step with your favorite SSH client to connect to the selected EC2 instance in order to solve the security finding collected within the selected AWS Security Hub insight.
05. Once you have connected to your EC2 instance through SSH, follow the instructions provided by the AWS Security Hub finding in the Remediation section, i.e. “We recommend that you disable password authentication over SSH on your EC2 instance and enable support for key-based authentication instead. This significantly reduces the likelihood of a successful brute-force attack. For more information, see https://aws.amazon.com/articles/tips-for-securing-your-ec2-instance/. If password authentication is supported, it is important to restrict access to the SSH server to trusted IP addresses”.
👋 Join us today !!
️Follow us on LinkedIn, Twitter, Facebook, and Instagram
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
