AWS security hub is a cloud security posture service that automates security checks and brings security alerts into a central location. The service performs best practice validation against your security settings, aggregates alerts and automates remediation of non compliant security settings.
AWS Security hub delivers a comprehensive view of your security state in AWS and helps you compare your environment against security industry standards and best practices.
AWS Security Hub collects security data from across your AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues.
CPSM - Cloud Security Posture Management
AWS security hub helps you reduce risk by implementing automated checks based on a collection of security controls managed and curated by security experts at AWS. This methodology helps simplify compliance management as it has mapping built in to suit common security compliance frameworks like CIS, PCI DSS and AWS Foundational Security Best Practices standard.
CIS Center for Internet Security Certification
AWS Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks:
- CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.2.0, Level 1
- CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.2.0, Level 2
PCI DSS Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) in Security Hub consists of a set of AWS security best practices controls. Each control applies to a specific AWS resource, and relates to one or more PCI DSS version 3.2.1 requirements. A PCI DSS requirement can be related to multiple controls.
Security Hub currently scopes the controls at the account level. It is recommended that you enable these controls in all of your accounts that have resources that store, process, and/or transmit cardholder data.
This standard was validated by AWS Security Assurance Services LLC (AWS SAS), which is a team of Qualified Security Assessors (QSAs) certified to provide PCI DSS guidance and assessments by the PCI DSS Security Standards Council (PCI SSC). AWS SAS have confirmed that the automated checks can assist a customer in preparing for a PCI DSS assessment.
AWS Foundational Security Best Practices Standard
The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices.
The standard allows you to continuously evaluate all of your AWS accounts and workloads to quickly identify areas of deviation from best practices. It provides actionable and prescriptive guidance on how to improve and maintain your organization’s security posture.
Why do organizations use AWS Security Hub?
Streamline the collection and prioritization of security findings.
AWS Security Hub reduces the effort to collect and prioritize potential security problems across accounts from integrated AWS services and AWS partner products. Security Hub processes finding data using a standard finding format, which eliminates the need to manage security findings data from multiple formats. Security Hub then correlates findings across providers to help you prioritize the most important ones.
Automate security checks against best practices
AWS Security Hub automatically runs continuous, account-level configuration and security checks based on industry standards and AWS best practice. Security Hub provides the result of these checks as a readiness score, and identifies specific accounts and resources that require attention.
Report findings across multiple accounts and providers in one consolidated view.
AWS Security Hub consolidates your security findings across accounts and provider products and displays results on your Security Hub console. This allows you to view your overall current security status to spot trends, identify potential issues, and take the necessary remediation steps.
Automate remediation in response to findings
AWS Security Hub supports integration with Amazon EventBridge. To automate remediation of specific findings, you can set up custom actions to take when a finding is received. For example, you can configure custom actions to send findings to a ticketing system or to an automated remediation system.
How does AWS Security Hub work?
There are two ways to instantiate security hub operations. The first is via the Security Hub console at https://console.aws.amazon.com/securityhub the other is via the security hub API which allows you to issue https requests directly to the service. (see https://docs.aws.amazon.com/securityhub/1.0/APIReference/ )
When you enable AWS Security Hub, it starts to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector etc. You can also enable integrations with various AWS partner security products. Those partner products can then also send findings to Security Hub.
Partner integrations that send and/or receive security alerts include :
- Alert Logic
- Aqua Security - Cloud native and Kube-bench
- Armor Anywhere
- Atlassian Jira Service Management and Opsgenie
- Barracuda Networks
- Blue Hexagon
- Capitis Solutions
- Checkpoint CloudGuard
- Cloud Custodian
- Cloud Storage Security
- IBM QRadar
- Juniper Networks
- K9 Security
- McAfee Mvision
- Microfocus Arcsight
- Palo Alto Networks Cortex XSOAR
- Rackspace Cloud Native Security
- RSA Archer
- ServiceNow ITSM
- Sonrai Security
- Sophos Server protection
- Splunk Enterprise and Phantom
- Sumo Logic
- Symantec Cloud Workload Protection
- Vectra AI
Security Hub also generates its own findings by running continuous, automated security checks based on AWS best practices and supported industry standards.
Security Hub then correlates and consolidates findings across providers to help you to prioritize the most significant findings. You can also create insights in Security Hub. An insight is a collection of findings that are grouped together when you apply a Group by filter. Security Hub Insights help you identify common security issues that may require remediation action. Security Hub includes several managed insights, or you can create your own custom insights.
One thing to note is that findings are only generated after security hub is enabled, the service will not retrospectively detect security findings and will also only generate findings within the region the security hub was enabled.
Why use AWS Security Hub?
One of the major advantages of AWS security hub is the time you save by centralizing your security information and event management. Having a centralised dashboard that is pulling in security concerns or events from all your AWS and integrated third party security services saves a lot of time having to visit each service in turn.
Some of the integrated services mentioned above receive notifications from security hub. For instance, you could send alerts straight to a Slack Channel or a Jira ticket for investigation by your security or DevSecOps team.
How to Get Started with AWS Security Hub
To get started with Security Hub, all you need to do is log into your AWS console and navigate to AWS Security Hub.
Then enable the service on your primary account and any other accounts or services you want to include in your security monitoring.
AWS Security Hub will then start gathering information.
Of course there are costs associated with using this service, however the first 30 days are provided free of charge, so you can assess the service and review the service usage costs over the first month so you know what to expect.
So that’s a quick run through AWS Security Hub. If you are building or operating AWS infrastructure, another fantastic resource to understand your infrastructure and security posture are the diagrams automatically generated by connecting your AWS accounts to hava.io
Once connected Hava will auto generate diagram sets for each VPC or container cluster discovered and map out all the resources it finds in the environment, so you can see exactly what is running where. Then when changes are detected, Hava updates your diagrams for you and retains the superseded diagrams in version history, so you always have an audit trail of network changes.
All this is done, hands free, no drag and drop which depending on the size and number of AWS accounts you have could save you hours if not days of tedious manual diagramming.
You can take a free 14 day trial of Hava using the button below.