AWS Security Hub

What is AWS Security Hub?

AWS Security Hub is a service introduced in 2018 that helps you examine your high-priority security warnings and compliance status across all of your AWS accounts. With Security Hub, your security alerts or findings are collected, arranged, and prioritized from various AWS services, such as Amazon GuardDuty, Amazon Inspector, IAM, Access Analyzer, AWS Firewall Manager, and Amazon Macie, as well as from AWS Partner solutions. It also supports products from third-party partners.

Security Hub offers a pre-built dashboard for your AWS environment to assist you in managing and prioritizing any issues or alarms found during security assessments.

Below is the sample dashboard of the AWS Security Hub, which gives the security score along with a list of resources whose security checks failed.

This dashboard enables you to compare your environment to industry standards and best practices for AWS security. Additionally, you can benefit from the built-in automatic tests for PCI-DSS( Payment Card Industry Data Security Standard) and CIS (Center for Internet Security).

Apart from that, you can also get the security findings according to a particular region's criticality (arranged in descending order).

How Does It Work?

Performing security best practice checks, collecting alarms, and enabling automatic remediation are all features of the Cloud Security Posture Management Service, i.e., AWS Security Hub.

When you enable Security Hub, it starts consuming, compiling, organizing, and prioritizing information from the AWS services that you have enabled, including Amazon GuardDuty, Amazon Inspector, and Amazon Macie. Additionally, you can enable integrations with security products from AWS partners. These partner solutions can then communicate findings to Security Hub.

Furthermore, Security Hub also delivers its results by doing ongoing, automated security checks following the recommended AWS practices and accepted industry standards.

Then, Security Hub correlates and aggregates results from many providers to assist you in prioritizing the most important findings.

Security Hub includes several managed and custom insights (you can create your own) to help you identify common security issues that may require remediation action.

AWS Security Hub Concepts

Account:

A standard Amazon Web Services (AWS) account that houses your AWS resources.

Administrator Account:

It is a Security Hub user account with permission to view findings for the associated member accounts.

Aggregation Region:

The region where you examine and manage findings is known as the aggregation region. You can display security` findings from various regions in one window by setting an aggregation Region.

Archived Finding:

An archived finding is a finding whose RecordState has the value ARCHIVED. When a finding is archived, it means the finding provider no longer considers it to be relevant.

AWS Security Finding Format (ASFF):

ASFF is a format established for the findings that Security Hub generates or collects. You can use Security Hub to access and evaluate results produced by AWS security services, third-party solutions, or Security Hub itself due to security checks. Thanks to the AWS Security Finding Format.

Control:

It is a precaution or countermeasure recommended for a system or an organization that uses the information to maintain the privacy, accuracy, and availability of that information while also adhering to a set of predetermined security standards. The elements of a security standard are controls.

Cross-Region Aggregation:

The collection of data from linked regions to an aggregate region, including discoveries, insights, control compliance statuses, and security ratings.

Custom Action:

A means for the Security Hub to communicate specific findings to EventBridge. The Security Hub creates a custom action. After that, an EventBridge rule is connected to it. When a finding is received connected to the custom action ID, the rule specifies a specific action to do.

Delegated Administrator Account (Organizations):

The designated administrator account f service in OrOrganizationas can control how the organization uses the service.

Finding:

The visible evidence of a security inspection or security-related discovery.

Finding ingestion:

• Results from other AWS services and partner providers imported into Security Hub.
• New findings and revisions to previous findings are included in the Finding Ingestion events.

Insights:

A group of associated discoveries/findings determined by an aggregate statement and optional filters.

Linked Region:

A Linked Region is a region that aggregates results, insights, control compliance statuses, and security scores to the aggregation region when cross-region aggregation is enabled.

Member Account:

A user account that has permitted an administrator user account to examine and act on their results.

Related Requirements:

A collection of standards or regulations that are linked to controls.

Rule:

A Rule is a set of automated standards that determines whether a control is being followed and implemented.

Security Check:

A rule's evaluation against a single resource at a specific time with the resultant as passed, failed, warning, or not available state. A security check results in a finding.

Security Hub Administrator Account:

The Security Hub administrator account is an organization account responsible for controlling an organization's Security Hub membership.

Security Standard:

A statement published on a subject that outlines compliance requirements, typically quantitative and expressed as controls.

Severity:

The degree of importance of a Security Hub control is indicated by its severity.

Workflow Status:

The state of an investigation into a finding is called the workflow status. This status is monitored by the Workflow. Status characteristic.

Features of AWS Security Hub

• AWS Security Hub helps compile and aggregate findings across AWS accounts and also automates compliance checks by examination.
• AWS Security Hub works with AWS Organizations to make administration of security posture easier for all of your organization's current and future AWS accounts.
• Develop and create your insights or alter the configured insights.
• Your security alerts and findings from various accounts, AWS partner tools, and AWS services like Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS IAM Access Analyzer, AWS Firewall Manager, and AWS Audit Manager are now consolidated, organized, and prioritized in one location.
• To display the accounts' current security and compliance status, integrated dashboards combine your security findings across accounts.
• All findings are kept in the AWS Security Hub for at least 90 days.
• Helps draw attention to the emerging new trends
• You can carry out automated compliance and configuration checks at the account level based on industry norms and best practices, such as the AWS Foundations Benchmark from the Center for Internet Security (CIS). These checks give a compliance score and show which accounts and resources need to be looked after.
• AWS Config configuration items are used in AWS Security Hub compliance checks.
• Through interaction with Amazon CloudWatch Events, you may communicate security discoveries to ticketing, chat, email, or automated remediation systems.

AWS Security Hub Integration with Other Services

Every primary AWS security tool is integrated with Security Hub. Some of the integrations are

With Amazon Guard Duty: You can send GuardDuty findings to Security Hub via the Amazon GuardDuty integration with Security Hub. After that, Security Hub can take those findings into account when evaluating your security posture.

As of the right moment, Amazon GuardDuty Malware Protection results are immediately sent to AWS Security Hub. Your Amazon Elastic Cloud Compute (EC2) instance and container workloads can be protected against malware with Amazon GuardDuty Malware Protection. Thanks to agentless malware detection.

With Amazon Macie: The Amazon Macie and AWS Security Hub integration now allows Macie's findings about sensitive data to be instantly ingested into AWS Security Hub. Before this integration, Security Hub had already ingested policy findings from Macie, and now it has added data findings on sensitive data. You may more quickly search, correlate, and operationalize Security Hub's findings because they are all automatically normalized using the AWS Security Finding Format (ASFF).

Amazon Inspector: AWS's security assessment solution, Amazon Inspector, automates the vulnerability detection of AWS workloads and checks fortypical vulnerabilitiesand exposures on Amazon EC2 instances.

With IAM Access Analyzer: IAM Access Analyzer feature makes it straightforward for security teams and administrators to verify that their policies only grant the desired access to resources. When policies provide public or cross-account access to resources, the IAM Access Analyzer integration with Security Hub will send findings to Security Hub.

With Amazon CloudWatch and CloudWatch events: AWS Security Hub can be integrated with CloudWatch and CloudWatch events to receive the findings. You can use AWS Lambda to automate any responses to the identified alerts.

With AWS Firewall Manager: AWS Firewall Manager and AWS Security Hub are currently integrated. You can centrally configure and administer AWS WAF, AWS Shield Advanced, and Amazon VPC Security Group rules across all your accounts and applications in AWS Organizations using AWS Firewall Manager, a security management solution.

With third-party services: Apart from these, AWS Security Hub can also be integrated with various third-party products. Each integration with a third-party product can send findings to the Security Hub, receive findings from the Security Hub, and update findings in the Security Hub. You can find the AWS Partner Network (APN) Partners from the official site: AWS Security Hub Partners

Getting Started with AWS Security Hub

Enabling AWS Security Hub manually and getting started depends on how the accounts are managed. This management of accounts can be done with (i) the integration with AWS Organizations and (ii) manually.

You set up Security Hub and handle accounts independently in each Region in both scenarios. Also, AWS Config, which is required for the security checks against security controls, must be enabled for all accounts before AWS Security Hub is enabled.

AWS Organizations Integration:

• Most organization accounts have Security Hub enabled automatically if you use the integration with AWS Organizations.
• A Security Hub administrator account is selected by the organization management account, and Security Hub is automatically turned on for this account.
• This Security Hub administrator account enables the other organization accounts as member accounts, and those organization accounts also have Security Hub enabled automatically.
• The organization management account is the only organization account for which Security Hub is not turned on by default.
• The organization management account can choose the Security Hub administrator account without first enabling Security Hub. Before being enabled as a member account, the organization management's account must first enable its Security Hub.

Manual Account Management:

• Accounts that organizations do not manage must manually activate Security Hub.
• Here the member accounts need to accept the invitation from the Security Hub administrator account, and thus, the Security Hub administrator-member relationship is established.

Please follow the document below to understand the different ways in which you can enable the security hub. link

Use Cases of AWS Security Hub

1. Manage the cloud's security posture, i.e., Cloud Security Posture Management (CSPM)

• Security: Automated checks based on a group of security controls chosen by professionals/experts can help reduce your risk.
• Compliance: Also, with integrated mapping capabilities for popular frameworks like CIS and PCI DSS, etc., compliance management is made more accessible.

2. Integrations can be made simpler to Save Time and Money

By combining the integrations between AWS services and your downstream tooling and by standardizing your findings, you can make data ingestion into your Security Information and Event Management (SIEM), ticketing, and other tools more manageable and more efficient. This ensures that the findings are sent to suitable entities promptly.

3. Workflows for Security Orchestration, Automation, and Response (SOAR)

With Security Hub's integration with EventBridge, you can automatically enhance findings, rectify them or submit them to ticketing systems.

4. Integrate your Security Findings to Acquire new Views and Perspectives

Searching, correlating, and aggregating various security findings by accounts and resources can help you better prioritize the response and remediation efforts of your central security teams and DevSecOps teams.

AWS Security Hub Pricing

During the preview time, AWS Security Hub will be freely accessible worldwide, and a `30-day trial period will be offered for all accounts and regions. The pricing of AWS Security Hub is based on the number of finding ingestion events and the number of compliance/security checks. To get the most recent pricing details, visit the AWS Security Hub pricing page.

It should be noted that AWS Config must be enabled in accounts using AWS Security Hub, as its security checks use the configuration information saved by AWS Config. Therefore AWS Config is necessary and is charged separately from Security Hub. Visit AWS Config for additional information.

Benefits of AWS Security Hub

Cut Down the Time and Effort Needed for Data Collection and Prioritization:

Managing findings data from various forms is unnecessary since Security Hub analyses the finding data following a standard finding format and then compares findings from several suppliers to assist you in prioritizing the most crucial ones.

Automatic Security Evaluations Compared to Best Practices and Standards:

Based on AWS best practices and industry standards, Security Hub automatically performs continual account-level configuration and security checks. The outcome of these inspections is provided by Security Hub as a readiness score, and it reveals certain accounts and resources that need attention.

Integrated view of Findings from Different AWS Accounts and Providers:

Your security findings from different accounts and provider products are aggregated by Security Hub, and the consolidated results are shown on the Security Hub portal. This enables you to evaluate your entire current security status to discover patterns, pinpoint any problems, and implement the required corrective measures.

Automated Ability to Correct Findings:

You can specify individual actions to be taken when a finding is received to automate the remediation of certain findings. You can set up custom actions to submit findings to an automated remediation or ticketing system.

Excellent Integration Capabilities:

There are robust integration features in AWS Security Hub. It enables the integration of AWS native services and aids in integrating some third-party services. This is one of the key advantages as well because ordinarily, you would have to examine the results of each service independently.