AWS Security Management with SecurityHub
Security has been a top concern with cloud adoption since its inception and as a result, security has been a top concern of cloud vendors as well. To help customers meet the security challenges of cloud infrastructure, AWS provides a lot capabilities including: granular access control with Identity Access Management (IAM), network security with security groups, data security with encryption in transit and at rest, audit logging, anomaly detection, and more. But even with all these great technologies, they don’t provide effective security unless they are configured correctly. This is where SecurityHub steps in.
Amazon released SecurityHub for general availability in June of 2019 to address a few critical challenges:
- Consolidated visibility of security issues by aggregating findings from many AWS services and third-party tools.
- Automated assessment of cloud configurations based on compliance standards (eg. CIS Benchmarks and PCI) and best practices as recommended by AWS.
- Finding publication to CloudWatch to support response to security issues.
AWS SecurityHub aggregates findings from a number of sources. In particular, it aggregates findings across many of the AWS services including: Config, GuardDuty, Macie, Access Analyzer, Detective, Firewall Manager, and more. And while it is a regional service, it is possible to define a master account and aggregate findings across multiple accounts and regions for a single-pane of glass view of issues.
By publishing a standard findings formation, the Amazon Security Findings Format (ASFF), third-party vendors are able to publish findings into SecurityHub, including issues from DisrutpOps.
Automated Assessment for Compliance and Best Practices
Utilizing Config rules and other sources, SecurityHub is able to assess cloud infrastructure configurations for many common security findings. This is a common feature of Cloud Security Posture Management products and provides a great baseline of your cloud security health. Currently SecurityHub supports the security standards of CIS AWS Foundational Benchmarks 1.2.0 and PCI DSS 3.2.1. In addition, they provide the AWS Foundational Security Best Practices.
Each of the controls and recommended remediation steps are documented in their user guides, for example the CIS controls can be found here: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html
When findings are discovered, they are published to CloudWatch. This integration presents great opportunities to build response mechanisms to critical security findings. For example, if a critical finding from GuardDuty indicates malicious user behavior, SecurityHub will send that finding to CloudWatch. To handle these events, it is possible to create CloudWatch Rules and build lambda functions to respond in near-real time.
DisruptOps and SecurityHub
We are excited to be partners with SecurityHub dating back to when it was still in preview mode. With integrations to both publish findings from our advanced governance assessments and to “take action” on discovered findings, we are deeply integrated into SecurityHub. As SecurityHub expands its capabilities by supporting additional services and new compliance checks, we will be right here enabling our customers to respond to these findings with user-defined alerts and actions.
SecurityHub is a great service available to AWS customers and one you should definitely check out to improve your cloud security.