In this article, you will learn:
In terms of security, AWS provides many different tools and services, but you must switch back and forth between these services to increase the security to the level you need. So is there any AWS service that can collect information from various security services/tools? Yes, this is where the AWS Security Hub comes in. Security Hub can use the data in the results collected from other AWS or third-party services so you don't need to deal with time-consuming data processing.
In this blog post, we will discuss the AWS Security Hub service and how we can use it to gain insight into priority security alerts and compliance status in your AWS account.
What is AWS Security Hub?
The Security Hub provides a single place in the AWS environment to aggregate, organize, and prioritize security alerts and discoveries from multiple AWS security services. This may be Amazon GuardDuty, Amazon Inspector, Amazon Macie, IAM, Access Analyzer, AWS Firewall Manager. But it also supports third-party partner products.
Security Hub provides a pre-built dashboard to help organize and prioritize any issues or alerts for your AWS environment discovered from security checks.
This helps you check your environment against AWS security industry standards and best practices. You can also take advantage of PCI-DSS and CIS (Center for Internet Security) built-in automatic checks.
You can also, for instance, get information on findings by region:
As well as more insights, like:
Amazon S3 buckets with public write or read permissions
S3 buckets with sensitive data
Amazon Machine Images (AMIs) that are generating the most findings
AWS principals with suspicious access key activity
AWS resources associated with unauthorized resource consumption
Credentials that may have leaked
Amazon EC2 instances that have missing security patches for important vulnerabilities
How does Security Hub work?
Security Hub simplifies how you understand and improve your security position with automated security best practice checks powered by AWS Config rules and automated integrations with dozens of AWS services and partner products.
Security Hub only detects and consolidates findings that are generated after you enable it.
The benefits of Security Hub in practice
Security Hub in general saves your time by creating accurate reports on security gaps in your AWS environment.
Reduce the time and effort to collect information: collect and prioritize security findings results across multiple accounts from integrated AWS services and third-party partner products.
Automation capability: automate remediation of specific findings, and define custom actions to be taken when the specific findings are received. The findings can also be sent to the ticketing system or automatic remediation software.
Best practices and standards security checks: Security Hub runs continuous security checks following AWS best practices and industry standards, provides the results of these checks as scores, and identifies AWS accounts and resources that require attention.
Consolidated view across AWS accounts: consolidate your security findings from multiple AWS accounts. Thanks to the accurate charts and tables, you can easily identify potential threats and take necessary action.
Findings aggregation across AWS regions: view findings across multiple regions by setting an aggregation region and then linking other AWS regions to it.
Security Hub common use cases
Use various security standards to continuously scan your AWS environment for configuration errors, and aggregate account and multi-account security check results to understand your overall security status.
Simple classification and prioritization
Use Security Hub’s dashboards and filters to identify and prioritize which findings from other AWS security services and partner security integrations are most important and which require the most direct attention.
Simplify compliance management with built-in mapping capabilities for common frameworks such as the Internet Security Center (CIS) and Payment Card Industry Data Security Standard (PCI DSS).
Speed up response time with automatic ticket routing
Security Hub ensures that AWS findings are sent to the right people through integration with chat, ticketing, incident management, and security information and incident management (SIEM) tools.
Security Hub integration
You can integrate Security Hub with a variety of AWS services and third-party tools from AWS partners. This is also one of the main benefits because normally you have to go through every service itself and check for its findings.
All findings are stored for at least 90 days within AWS Security Hub.
Security Hub and AWS services integration
Security Hub integrates with all the key AWS security tools.
It integrates with these AWS services:
Amazon GuardDuty for intelligent continuous threat detection of your AWS accounts, data stored in Amazon S3, and workloads to reduce risk.
Amazon Macie, which you can use to help you find personally identifiable information in your S3 buckets and classify data according to how sensitive it is as a high, medium, or low risk, and alert you accordingly.
Amazon Inspector, which of course you can use to run checks for common vulnerabilities and exposures on Amazon EC2 instances.
IAM Access Analyzer, a tool that scans the policies attached to your AWS resources like S3 buckets, KMS keys, Lambda functions, and identity access management roles, to see if they allow external access from outside your AWS account.
Amazon CloudWatch and CloudWatch events and you can use AWS Lambda for automating any response to the alerts that are found.
AWS Firewall Manager, which is a service that allows you to centrally manage web application firewalls and security groups as well across multiple AWS accounts.
Security Hub third-party tool integration
The Security Hub also integrates with many different third-party tools. You can find a whole list of them on the official AWS page: integrated AWS Partner Network (APN) security solutions.
Available security standards and best practices checks
When enabling AWS Security Hub, you can choose which security standard you would like to use. These security standards provide a set of controls to determine compliance with regulatory frameworks and industry best practices.
At this moment there are three automated checks you can enable:
1. AWS Foundational Security Best Practices
The AWS Foundational Security Best Practices standard is a set of automated security checks that detect when AWS accounts and deployed resources do not align with security best practices. The standard is defined by AWS security experts. This curated set of controls helps improve your security posture in AWS, and covers AWS’s most popular and foundational services.
2. AWS Security Hub CIS Benchmark
The Center for Internet Security (CIS) published a benchmark with general security guidelines for AWS. This Security Hub standard automatically checks for your compliance readiness against a subset of CIS requirements.
It includes things like:
Avoid the use of the "root" account
Ensure credentials unused for 90 days or more are disabled
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure MFA is enabled for the "root" account
Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
Ensure rotation for customer-created KMS keys is enabled
And much more: CIS AWS Foundations Benchmark controls...
3. Payment Card Industry Data Security Standard (PCI DSS)
This is a set of checks, which all relate to credit card payments and the standards that you need to adhere to if you're handling anything to do with credit cards. You can get more info in the AWS official documentation: PCI DSS
How to enable Security Hub
Before you can enable Security Hub, you must first enable resource recording in AWS Config. AWS Config will be charged separately from Security Hub, so visit Config pricing for more info.
1. Open the AWS Config console.
2. You should see an option to choose 1-click setup to launch AWS Config based on AWS best practices.
3. In Review, click on “Confirm”.
And for some checks, you will also need AWS CloudTrail.
As for other AWS services you can enable Security Hub in multiple ways; choose the one that suits you the most.
Enable Security Hub in AWS Management Console
1. Sign in to the Security Hub console.
2. Choose to “Go to Security Hub”.
3. Choose “Security standards”. You can enable or disable a standard at any time after enabling Security Hub.
4. Choose “Enable” Security Hub.
Enable Security Hub with the multi-account script
The Security Hub multi-account enablement script allows you to enable Security Hub across accounts and regions. The script also automates the process of sending invitations to member accounts and enabling AWS Config.
Other ways how to enable Security Hub
To enable Security Hub, you can also use an API call or the AWS Command Line Interface. Visit the official AWS documentation for more information: Enabling Security Hub (Security Hub API, AWS CLI)
Having problems with implementation? Let our certified cloud experts guide you.
Security Hub pricing
When seeing the benefits of implementing AWS Security Hub, you will certainly want to know its costs.
Security Hub’s security checks leverage items recorded by AWS Config. AWS Config is required, and it’s priced separately from Security Hub. You can visit AWS Config pricing for more details.
Security Hub provides usage (cost) information in its Settings, helping you to understand what your monthly billing estimate will be and which components of Security Hub are contributing to your bill. Security Hub offers a 30 day free trial for each account, so for free you can easily find out how much money it will cost.
Pricing example for a midsize company with ten AWS accounts
Let’s assume that you use two AWS regions, Europe (Ireland) eu-west-1 and Europe (Frankfurt) eu-central-1. You currently use ten AWS accounts. AWS Security Hub performs 300 security checks per ten accounts and two regions. Security Hub also aggregates 15,000 finding ingestions per ten accounts and two regions.
AWS Security Hub provides a centralized dashboard for security alerts. So, it's one place to manage and aggregate findings and alerts from key AWS Security Services as well as third-party products, enabling you to have an ongoing security audit across your AWS accounts.