AWS Security Hub Review
Summary
The Best
- Get findings from various services into one place (so you don’t go into console for each service)
- Easy compliance, built in evaluations for CIS benchmark, these are super charged AWS Config rules
Exciting
- Custom actions that customers can create based on findings
LookOuts
- Bring partner alerts into AWS dashboard. This will make dashboard too noisy. Each of the partners have their alert tuning and you have to go to their dashboards to tune alerts anyway, so not sure this will solve the problem of going to multiple vendor dashboards. Just GuardDuty can generate a few hundred alerts.
- Alert management (curating , archiving, remediation) findings is cumbersome. Automating alert management, API access to alert curation , aggregation would make a bit automatable, so waiting for the API Access to security hub in general. Looks like I have to enable security hub in each region, and manage alerts in each region which is impossible .. I am sure the awesome aws folks will fix it in GA
Enabling Security Hub
You just go to https://console.aws.amazon.com/securityhub/ and enable the security hub.
The service requires read access to different AWS services, so giver permissions -
Security Hub Service
It has 3 different pages
- Standards
- Findings (basically alerts from various AWS services)
- Insights (aggregation of alerts)
Standards
Standards is the CIS bench marks inbuilt.
Insights
Prebuilt insights and the ability to create new insights right from the page or from the findings page
Findings
Findings are alerts from various AWS services, such as inspector , GuardDuty
Settings
The most exciting piece in settings is custom actions based on a finding, there is not much documentation, so could not make any custom
Custom action ID is linked into CW event rule
Providers
Of course you can add providers to the hub
Conclusions
AWS Security hub solves the problem of security practitioner going to various AWS consoles to gather findings.
Curation of alerts is a problem in itself, and is very time consuming that is still left for the security practitioner to solve.
API access to alert aggregation and curation would be a bit automatable, waiting for the API Access to security hub in general.
By Team VirClop,
Your Virtual Cloud Operations and Security Engineer, right in Slack.