AWS Security Hub
Security Hub gives a centralised view of findings from various services, cross AWS accounts and third-party partners. It prioritises the findings, which helps you to analyse and identify security issues with higher priority. Security Hub checks your environment against security best practices and industry standards. It is a regional service. It must be enabled in each region in order to view the findings in that region.
Security Hub collects the findings from other AWS Services such as Amazon GuardDuty, Amazon Macie, Amazon Inspector, IAM Access Analyser, AWS Systems Manager, AWS Firewall Manager, third-party partners and other AWS Accounts. It then aggregates, organises and prioritises the collected findings . It can be integrated with Amazon EventBridge. Security Hub has the ability to automate remediation of findings.
Security Hub Walkthrough
Enabling Security Hub
Enable resource recording in AWS Config, before enabling Security Hub standards. Open AWS Security Hub console, click on "Go to Security Hub". Check Security Standards and click "Enable Security Hub".
Summary of Security Hub
To view the summary of the security Hub, click on the Summary in the left navigation pane. The summary gives the insights, latest findings from integrated services, Security score of enabled standards, resources with most findings. The Summary also shows the Passed and Failed status of Security Standards.
Security Standards are statements on a topic, that are published and specifies the measurable characteristics usually in the form of controls. These Security Standards must be achieved for compliance .
Security Hub has the following Standards :
- AWS Foundational Security Best Practices
- CIS (Center for Internet Security ) AWS Foundations
- PCI DSS - Payment Card Industry Data Security Standard
The image represents the Security score and findings of AWS Foundation Security Best Practices. It shows the number of findings that are enabled, Passed, Failed and No data.
A finding is a Security issue or observable record in a security check . Findings are stored for 90 days, to store more than 90 days you can use S3. New findings can be created or existing findings can be updated . Security Hub collects findings from multiple providers using a format called the AWS Security Finding Format .
Archived Findings - The findings that are no longer relevant. These findings have the "RecordState" set to "Archived". By default these findings are excluded from the findings list.
To view the findings, click on the findings in the left navigation pane. The findings page shows the list of all the findings with their status, severity [Low, Medium, High and Critical], resource of the finding and status. You can view the findings by applying filters in search bar. click on Title to view more details about the finding .
An Insight is a collection of related findings. These Insights are defined by filters and aggregates. It identifies the area that needs attention. Custom Insights can be created through console. Click on Insights in the left navigation pane to view the Insights. Filters can be applied on Insights as well.
Security Hub is a very useful service in security aspect to get a centralised view of all the findings from multiple sources. It organises and priorities the findings in a standard format, which eliminates the need for time consuming data conversations. It gives consolidated view of your security state.