Ensure accounts have properly configured monitoring and alerting (e.g. CLoudTrail). This Op is unnecessary if you are using the centralized monitoring configuration.
CloudTrail, Config, CloudWatch, GuardDuty, S3
This Op properly configures a recommended baseline monitoring and alerting infrastructure for AWS accounts. This is the local account version that does not centralize logs and alerts. Use the *Integrate with central monitoring* Op if you want the account linked into the DisruptOPS centralized infrastructure. This Op enables CloudTrail in all regions, saves the logs to a new (local) S3 bucket, streams the activity to CloudWatch, and enables Config and GuardDuty. It can optionally run the *Implement local account security alerts* Op. It then monitors the account to maintain the configuration over time.
Supported Issue Types:
- Account is not configured with recommended monitoring and alerting configuration
- Monitoring and alerting exists but does not match required configuration
- CloudTrail/Config/CloudWatch/GuardDuty is not configured correctly and should be repaired
- Implement local monitoring and alerting configuration
- Repair non-compliant monitoring and alerting configuration
In our last post, we walked through the console and highlighted making the most of the Security Hub console and some tips and tricks to make it more useful. Today I want to dive into one of the best parts of Security Hub — taking actions on events and findings.
Security Ops Waiting Game Remember in the olden days, when central IT ruled the land? If an application required fixes or new capabilities, the business put in a change order, and the IT folks