Securing your infrastructure through the AWS Security hub
What is AWS Security HUB?
AWS Security Hub gives you a prioritized view of your security alerts and security posture across your AWS accounts.
You can designate any account in your organization as the Security Hub administrator and view security findings from up to 5,000 AWS accounts. You can also automatically enable Security Hub and its automated security checks in any existing or newly created accounts in the organization.
AWS provides us free usage of the Security Hub for the 1st month in each account.
Why Security Hub?
A lot of companies are steadily migrating workloads into the cloud environment. As a result, they use a mix of 3rd party services, custom scripts, and AWS services to detect security events. Generally, organizations have separate security teams and analysts who take care of infrastructure security, driving up operational costs. With Security Hub, you have a solution that will give visibility into security findings related to the AWS environment so that you can properly prioritize and respond to findings at a fraction of the cost.
Multiple AWS services will collaborate to help generate Security Hub findings. These services include
- AWS Security Hub
- Amazon GuardDuty
- Amazon Secrets Manager
- Amazon Inspector
- AWS Config
- AWS IAM Access Analyzer
Security Standards:
Security Hub supports multiple security standards:
· Center for Internet Security (CIS) AWS Foundations v1.2.0:
CIS Benchmarks are best practices for the secure configuration of a target system. A unique consensus-based process comprised of cybersecurity professionals and subject matter experts worldwide has developed the CIS Benchmarks. As a result, CIS Benchmarks are the only consensus-based, best-practice security configuration guides developed and accepted by the government, business, industry, and academia. In addition, most CIS Benchmarks include multiple configuration profiles.
The Level 1 profile is considered a base recommendation that can be implemented relatively promptly and is designed not to have an extensive performance impact. The Level 1 profile benchmark's intent is to lower your organization's attack surface while keeping machines usable and not hindering business functionality.
The Level 2 profile is considered "defense in depth" and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can harm your organization if not implemented appropriately or without due care.
The STIG profile replaces the previous Level 3. The STIG profile provides all recommendations that are STIG specific. Overlap of recommendations from other profiles, i.e., Level 1 and Level 2, are present in the STIG profile as applicable.
· AWS Foundational Security Best Practices v1.0.0:
The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices. The controls include best practices from across multiple AWS services. Each control belongs to one of the following categories based on the functions described in the NIST Cybersecurity Framework.
· Payment Card Industry Data Security Standard (PCI DSS) v3.2.1:
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information
Enabling the Security Hub will run the first round of compliance checks within two and again every 12 hours.
We will walk you through and showcase how we can get started with one of the security standards.
1. Search for Security Hub in AWS Services
2. Click on Security standards, and the AWS console will present you with the below screen.
3. Click View Results for CIS AWS Foundations Benchmark v1.2.0, and filter on 4.1
4. Click on the Title: Ensure no security groups allow ingress from 0.0.0.0/0. This presents a view of all resources evaluated in the control and the current status of each resource related to the control.
5. Scroll down, and you will notice some resources with a FAILED and some with a PASSED status. For one FAILED resource, click on the three dots in the Investigate column. AWS will display links that will take you to AWS Config to view the configuration timeline for this resource or the overall config rule that evaluated this resource. Feel free to click the links to explore the resource and the config rule.
6. At the top of the page, click the Remediation instructions link to open guidance in a new tab.
Security Hub provides the usage info for your AWS account, helping you understand your monthly billing estimate and which components of Security Hub contribute to your bill. In addition, security Hub offers a 30-day free trial for each account. During the free trial, Security Hub estimates what the spending would be so you can assess your spending beyond the free trial.
- Click Settings on the left-hand navigation.
- Click the Usage tab in the Settings screen.
- On the left-hand side of the screen, your usage for the billing period is displayed. Usage is broken down by findings ingested and by security checks that have been run. At the bottom of the usage, the summary is the total estimated cost for the billing period. On the right-hand side is the current Security Hub pricing so that you can see how the usage in your account contributed to the estimated cost.
Concepts and Terminology
To make the most of AWS Security Hub, keep the following concepts in mind:
Finding — It is the smaller part of the Security Hub. We can describe a finding as "a piece of security information" this can come from the AWS provider GuardDuty, Macie, or Inspector but also from an external provider that maybe we are already using and paying and want to integrate.
Insight — A Security Hub insight is a collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention.
Standards — A predefined group of rules based on the security industry and AWS best practices used to measure compliance.
Managing AWS Accounts in AWS Security Hub
You can have a hierarchy of master accounts and sub-accounts; it is achieved through invitations.
1. In a Sub-Account, you need to enable Security Hub before accepting an invitation
2. A master account can view the sub-account findings and archive them.
3. Also, GuardDuty has the same system of master and sub-account, but you need to enable also in Security Hub, and you cannot use the GuardDuty permission.
4. A Sub-Account can accept only one invitation, and a master account cannot accept an invitation.
Terraform Support
Security Hub for Terraform was released on 20th December 2018, but not all features are fully supported as of writing this article.
A significant features that are missing:
- automating the invite/accept mechanism of a subaccount
- creating an insight (a group of findings)
Neither of these is a big blocker; they are still doable through the AWS web console.
You can enable the Security Hub using a single line of the terraform code:
resource "aws_securityhub_account" "example" {}This will automatically generate a role in IAM with the default policy.
Use of Security hub in Taager:
Taager has started using Security Hub, with CIS standard and AWS Foundational Security Best Practices enabled, and due to this, Security Hub helped us improve our security score from 22% to 100%.
There has been some Finding that we discovered and fixed because of the Security Hub.
We monitor the Findings as they refresh, and it helps us foresee any potential risk concerning the security of the infrastructure.
It has excellent integration with internal and external tools, which can inject its finding into the Security Hub and make it a single source of truth for all your security issues.
Conclusion
AWS Security Hub is an excellent tool for all your security needs. We hope this article helps you understand its potential quickly, without needing to read any of the "getting started" pages.
