AWS Security Hub – A Centralised Security Service

2021.07.06

AWS Security Hub

Security Hub gives a centralised  view of findings from various  services, cross AWS accounts and third-party partners. It prioritises the findings, which helps you to analyse and identify security  issues with higher priority. Security  Hub checks  your environment  against security  best practices  and industry  standards. It is a regional  service. It must be enabled in each region in order to view the findings in that region.

Security  Hub collects the findings from other AWS Services  such as Amazon GuardDuty, Amazon Macie, Amazon Inspector, IAM Access Analyser, AWS Systems Manager, AWS Firewall Manager, third-party partners and other AWS Accounts. It then aggregates, organises and prioritises the collected findings .  It can be integrated with Amazon EventBridge. Security  Hub has the ability  to  automate remediation of findings.

 

 

Security Hub Walkthrough

Enabling  Security  Hub

Enable resource recording  in AWS Config, before enabling  Security  Hub standards. Open AWS Security Hub console, click on "Go to Security  Hub". Check Security Standards and click "Enable Security  Hub".

 

 

Summary  of  Security  Hub

To view the summary of the security  Hub, click on the Summary in the left navigation pane. The summary gives the insights, latest findings from integrated  services, Security score of enabled standards, resources  with most findings. The Summary also shows the Passed and Failed status of Security  Standards.

 

 

Security  Standards

Security Standards  are statements on a topic, that are published and specifies the measurable characteristics usually in the form of controls. These Security  Standards must be achieved for compliance .

Security  Hub has the following  Standards :

  • AWS Foundational Security  Best Practices
  • CIS (Center for Internet Security ) AWS Foundations
  • PCI DSS - Payment  Card Industry  Data Security  Standard

The image represents  the Security  score and findings of AWS Foundation  Security  Best Practices. It shows  the number of findings that are enabled, Passed, Failed and No data.

 

 

Findings

A finding is a Security  issue  or observable record in a security  check . Findings are stored for 90 days, to store more than 90 days you can use S3. New findings  can be created or existing findings  can be updated . Security  Hub collects findings  from multiple providers using a format called the AWS Security  Finding Format .

Archived  Findings - The findings  that are no longer relevant. These findings have the "RecordState" set to "Archived". By default  these findings  are excluded  from the findings  list.

To view the findings, click on the findings  in the left navigation pane.  The findings  page shows the list of all the findings  with their status, severity [Low, Medium, High and Critical], resource of the finding and status. You can view the findings  by applying  filters in search bar. click on Title to view more details  about  the finding .

 

 

Insights

An Insight is a collection of related findings. These Insights  are defined  by filters and aggregates. It identifies  the area that needs attention. Custom Insights can be created through console. Click on Insights in the left navigation pane to view the Insights. Filters can be applied on Insights as well.

 

 

Conclusion

Security  Hub is a very useful service in security aspect to get a centralised  view of all the findings from multiple  sources. It organises and priorities  the findings in a standard  format, which eliminates  the need for time consuming  data conversations. It gives consolidated view of your security  state.