Open in app

Sign in

Write

Sign in

AWS Security Hub Review

VirClop
VirClop, Your Own Virtual Cloud Operator
Published in
3 min readNov 29, 2018

Summary

The Best

  • Get findings from various services into one place (so you don’t go into console for each service)
  • Easy compliance, built in evaluations for CIS benchmark, these are super charged AWS Config rules

Exciting

  • Custom actions that customers can create based on findings

LookOuts

  • Bring partner alerts into AWS dashboard. This will make dashboard too noisy. Each of the partners have their alert tuning and you have to go to their dashboards to tune alerts anyway, so not sure this will solve the problem of going to multiple vendor dashboards. Just GuardDuty can generate a few hundred alerts.
  • Alert management (curating , archiving, remediation) findings is cumbersome. Automating alert management, API access to alert curation , aggregation would make a bit automatable, so waiting for the API Access to security hub in general. Looks like I have to enable security hub in each region, and manage alerts in each region which is impossible .. I am sure the awesome aws folks will fix it in GA

Enabling Security Hub

You just go to https://console.aws.amazon.com/securityhub/ and enable the security hub.

The service requires read access to different AWS services, so giver permissions -

Security Hub Service

It has 3 different pages

  • Standards
  • Findings (basically alerts from various AWS services)
  • Insights (aggregation of alerts)

Standards

Standards is the CIS bench marks inbuilt.

Insights

Prebuilt insights and the ability to create new insights right from the page or from the findings page

I

Findings

Findings are alerts from various AWS services, such as inspector , GuardDuty

Settings

The most exciting piece in settings is custom actions based on a finding, there is not much documentation, so could not make any custom

Custom action ID is linked into CW event rule

Providers

Of course you can add providers to the hub

Conclusions

AWS Security hub solves the problem of security practitioner going to various AWS consoles to gather findings.

Curation of alerts is a problem in itself, and is very time consuming that is still left for the security practitioner to solve.

API access to alert aggregation and curation would be a bit automatable, waiting for the API Access to security hub in general.

By Team VirClop,

Your Virtual Cloud Operations and Security Engineer, right in Slack.

AWS
Cloud Computing
Security

--

--

VirClop
VirClop, Your Own Virtual Cloud Operator

Written by VirClop

15 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams