Improving AWS Cloud Security using Security Hub and GuardDuty
In this article, I aim to provide a comprehensive overview of Two Key Services that greatly assist the Cloud Security Operations team in effectively managing multiple AWS Accounts.
- AWS Security Hub
- AWS Guard Duty
AWS Security Hub
AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you assess your AWS environment against security industry standards and best practices.
It collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.
Once you entered into Security Hub Landing Page, you will get a screen as shown below.
Before configuring Security Hub, we need to enable AWS Config. It can be done either by directly clicking one click setup option in config service or you can download the CloudFormation template and deploy it.
You can select the required security standards in the second section and click on Enable Security Hub at the bottom.
Once you enabled that, you will land into Overview section. Initially it will take few minutes to get all the insights, reports to the Dashboard.
You can see the score of your environment, Passed/Failed, findings by criticality and resource types.
In the third section, you can see the security standards reports and its findings. As of now we enabled only AWS Foundation best practices and CIS AWS Framework Benchmark initially so only those are getting listed. If you want PCI/NIST you can enable those in the first page.
In the fourth section, you can see Insights of your environments. Each insight will also show how many resources identified as part of that.
Example
One S3 Bucket that don’t meet the Security Best practices or standards.
Zero S3 Buckets with Public write or read permissions.
In the Findings Section, Security Hub classifies the things to Critical/Medium/Low Severity Levels. You can click on title to understand the issue in detail.
You can also find remedy as well at the bottom of the page for each title.
You can integrate AWS Security Hub with AWS Organizations, and then manage Security Hub for accounts in your organization.
You can add multiple accounts and monitor entire organization security overview from one central Location.
AWS GuardDuty
GuardDuty combines ML and integrated threat intelligence from AWS and leading third parties to help protect your AWS accounts, workloads, and data.
How it works
Pricing
Walk Through …
Once you enabled the Guardduty, it will take some time to fetch the Information from all the resources and populate to the dashboard.
You can setup rules and generate new findings for the resources you want.
If you want to disable few IP/CIDR ranges and make them not part of the findings, you can use trust-list, In the same way you can also enable Threat IP list for your account.
You can add the IP details in a list and upload it to s3. Provide the S3 Location and configure the details in Trusted IP List.
Conclusion
AWS Security Hub offers a holistic perspective of your security status within AWS, aiding you in evaluating your environment’s adherence to industry standards and best practices. By gathering security data from various AWS accounts, services, and supported third-party partner products, Security Hub facilitates the examination of security trends and identification of critical security concerns.
Through the integration of Amazon GuardDuty with Security Hub, you can effortlessly transmit GuardDuty findings to Security Hub. Consequently, Security Hub incorporates these findings into its analysis of your security posture.
