A Real-World Example of Using AWS Security Hub – Event Management with Security Hub and GuardDuty – SCS-C02 Study Guide

A Real-World Example of Using AWS Security Hub

If, in your accounts, you have deployed a custom-built AMI and that has now been found to have a vulnerability, Security Hub insights can aggregate the information and then show you that the AMI itself has an issue. This contrasts with presenting you with a list of a hundred instances created from the AMI and finding the same vulnerability that needs to be patched.

While that information would be relevant and somewhat helpful, it would also be noisy and not get to the root of the issue. With Security Hub presenting the root cause to you (the AMI in this case), you can then go and patch or fix the problem in the underlying AMI and then redeploy or patch those instances, ensuring that the particular issue is not shown again.

With an understanding of how Security Hub can be of assistance in aggregating the same security issue, when found multiple times, into a succinct piece of information, you can now review some other features of Security Hub.

Findings

A finding is a security issue or failed security check detected by the integrated AWS service and third-party solutions.

Integrations

The Security Hub service integrates natively with most AWS services through a button that allows you to turn findings on or off from the Management Console Service page.

Figure 6.18: Services inside of the Integrations section of Security Hub

As you have seen in the previous sections, it is very easy to integrate both native AWS and third-party services so that Security Hub can report on their issues. You can now explore how using AWS Config conformance packs enhance the Security Hub service.

Automated Remediation and Responses from Security Hub

Automated responses from AWS Security Hub findings and system events can be activated so that you do not need to manually react to the notifications that appear on your Security Hub dashboard.

Examples of the responses that you can automatically trigger with Amazon EventBridge from Security Hub include the following:

  • Having an AWS Lambda function invoked
  • Having an EC2 run command invoked via Systems Manager
  • Starting an AWS Step Functions state machine
  • Sending a notification to an Amazon SNS topic
  • Placing a message in an Amazon SQS queue
  • Sending one of the findings to a third-party service, such as a chat window, SIEM, or ticketing system

For each individual response, you need to configure the rule and the severity separately in Amazon EventBridge.

Note

You will explore Amazon EventBridge in more detail in Chapter 8, CloudWatch and CloudWatch Metrics, as Amazon EventBridge has replaced Amazon CloudWatch Events.

Summary

This chapter concludes Section 2 on incident response, with a review of the AWS services Security Hub and GuardDuty. You explored how the GuardDuty service works and how it presents its findings. You also walked through setting up the GuardDuty service from the Amazon Management Console.

You then took a look at the Amazon Security Hub service and examined how it can present security findings from AWS security services, such as GuardDuty, Amazon Macie, Amazon Inspector, AWS Firewall Manager, and third-party services in a unified view, thereby making tracking your security posture much easier on yourself as a security professional.

Chapter 7, Logs Generated by AWS Services, will begin the next domain in the AWS Security Specialty exam, logging and monitoring. This domain concerns the different types of logs you can capture, how to do so, and what they tell you.