Security Alerting with AWS Security Hub – Event Management with Security Hub and GuardDuty – SCS-C02 Study Guide

Security Alerting with AWS Security Hub

With so many security tools available in both AWS and from third-party providers, those that are responsible for managing the alerts need a single pane of glass to centralize all the alerts and notifications coming in. AWS Security Hub helps you consolidate many of your security findings, alerts, and compliance reports from AWS services, including the following:

  • AWS Identity and Access Management (IAM)
  • Amazon Macie
  • Amazon GuardDuty
  • Amazon Inspector
  • AWS Firewall Manager

In addition to these native AWS services, AWS Security Hub can be incorporated into any third-party partner solutions, such as Sumo Logic, Splunk, and other vendors you might use in your organization. A complete list of these partners can be found at https://aws.amazon.com/security-hub/partners/.

The Security Hub service allows you to categorize and prioritize all the events coming in from various sources. This single-pane-of-glass view gives you a more comprehensive picture and a deeper understanding of any threats and vulnerabilities forewarning your account.

Security Hub, by default, is a regional service, but as with Amazon GuardDuty, it can be configured as an administration/member configuration from within a security account. Along with AWS Organizations, the organization management account specifies the Security Hub administrator account using the following configuration:

Figure 6.12: Security Hub administrator/member configuration

Suppose you have already configured your accounts, as shown in Figure 6.12, for the GuardDuty service to consume all the account data in a segmented security account. In that case, the Security Hub service can utilize this same setup without additional configuration.

One of the most compelling use cases for Security Hub is automated compliance and configuration checks. Keeping every account compliant becomes burdensome and time-consuming as your organization grows and expands to multiple accounts. Trying to understand whether a developer has configured something in one of the child accounts that goes against the compliance standards of the whole organization can be automatically displayed and reported on, via the Security Hub service, so that you can take appropriate action.

AWS Security Hub, out of the box, performs 43 fully automated, nearly continuous checks against your accounts based on the CIS Foundations benchmark. It then takes the findings from the checks and displays them on the main dashboard of Security Hub, allowing your security and audit team to have quick access to these findings. Security Hub mainly looks at configuration choices and usage patterns at the account level. This is in contrast to AWS Config, which reviews items at instance and resource levels. By focusing on CIS checks, AWS Security Hub helps ensure that your AWS infrastructure adheres to the recommended security best practices set forth by CIS.

Having AWS Config enabled is a prerequisite to ensure that compliance standards are met while using Security Hub. This is because Security Hub uses the information from Config to determine when there is a change in an account. This allows the Security Hub service to be refreshed in near real time.

Having covered how Security Hub works with multiple accounts and how it differs in its findings from the preceding AWS Config service, the following section will help you understand how Security Hub groups its findings to make things easier for security professionals.