If this is the first post you are reading in the #CloudSecurity series, Welcome! :) You will find some of the other topics covered under #CloudSecurity by me interesting too. Please feel free to follow my medium profile to see the remaining Cloud Security articles and be updated on upcoming posts on the same topic. I love connecting and talking security so do head to www.ashishrajan.com and connect with me to continue the conversation. Ok, back to the post.
If you prefer consuming educational content in video format, I have you covered. For everyone else keep reading.
From this point onwards, I assume that you have basic working knowledge of AWS to be able to create an AWS Account and can search services in AWS Console to use them. If you don’t and would want me to point you to resources that can help, feel free to comment and I can point you to them.
How do you check security in your AWS Accounts?
I asked this question on AWS Cloud facebook groups and sub-reedits (for which I got banned weirdly enough LOL). I got a lot of responses which were focussed on making sure IAM is configured correctly which is really good advice, weirdly enough no Cloud Trail or GuardDuty advice. I do have to confess, this is a bit of vague question so I should be expecting vague responses.
Fortunately, we are most of the cloud providers these days have security notifications that their customer can use to investigate, triage and raise alarms. AWS has multiple security notification services — one of them is called AWS Security Hub. This is a service released in preview mode at Nov 2018 and it still is in preview at the time of writing this article. I was among the lucky few to test run this service so wanted to share my initial thoughts on this and best practices from what is available in preview mode. (I will answer my facebook & sub-reddit question in a future post where we would go into basic security foundations on AWS Accounts.)
“AWS Security Hub provides you with a comprehensive view of your security state within AWS and helps you check your compliance with the security industry standards and best practices”, all from a central place.
Why would you want to use AWS Security Hub?
- Central place to get a security view of all your AWS Accounts (if invited into Security Hub)
- A central place for AWS CloudTrail, AWS GuardDuty, AWS Macie incidents for all your AWS accounts
- Ability to monitor compliance to CIS AWS Foundation on all your AWS Accounts
- Ability to search through all “findings” recorded from the time AWS Security Hub was enabled
- Ability to use the intelligent threat detection insights from AWS and also purchase subscription to receive findings from trusted security vendors who are sharing their “threat intelligence” with AWS through Security Hub.
- AWS Security hub has standard insights available and has the ability to have customers create their own insight on the dashboard too.
- Customers can create monitoring AWS provided insights on suspicious acitivity based on 31 AWS pre-populated rules and with the ability to create your own insights.
- AWS Securtiy Hub allows for custom actions to be created which are captured in CloudWatch events and then from there can be fed into your existing security incident management systems.
- You can export all the findings if recorded for periodic audit.
Where would you not want to use AWS Security Hub?
- If you are already taking in input from existing AWS sources like GuardDuty, Macie etc, then this will be a repetition of the same excercies with the same results.
- If you already have all the security metrics being collected for all your cloud providers into a central place than this is not required.
- Security Hub will not help, if you want it to investigate a historic security findings in your AWS account which you are aware of .
- Since this most likely going to be a paid service (going by the usage column), you would want to consider additional cost.
- This is not a useful service, if you only have less than 2 AWS Accounts, where you don’t have too many things running on AWS
- This is not a useful service, if you are not using EC2 instances or some of the managed AWS services like RDS, Lambda etc.
- Taking a leaf from the previous point, only limited AWS services are covered by AWS Security Hub insights.
- Security Hub needs to be activated per region. This is possibly because Security Hub uses AWS Config Rules to provide insights which also operates on region basis.
- If you are a company that need to be on top of your complaince game for all your AWS Accounts, this might be the service you need.
- If you have done the basic security must-dos for AWS Account, which among other thing also includes — Enabling AWS CloudTrail, AWS GuardDuty, AWS Macie, AWS Inspector in all your AWS Accounts, you would be able to add another layer on top of this to collect all the raised findings in AWS Security Hub
- Security Hub can be used to collect and centralise security events from all AWS Accounts into one single spot on AWS.
- Get a compliance score against Industry standards and best practices like Center for Internet Security (CIS) AWS Foundations.
- Central dashboard to easily spot trends, identify potential issues, and take the necessary remediation steps.
- You can use APIs to create customised actions or create tickets in a remediation system for raised security incidents with a combination of AWS Security Hub custom actions and CloudWatch Events.
- You can use APIs to feed the findings and insights into your existing DevOps or Security Dashboards (SOC) #devsecops
AWS Security Hub currently free of cost while in preview mode. However, on the AWS Security Hub page under Settings there is a Usage tab which suggests that there is a some cost to the service. The cost will be shared once the service is publicly available. There would be additional cost if you decide to subscribe to one of their partner provider feed on AWS Security Hub.
- Enable AWS Security Hub in all regions for all your AWS Accounts
- If do not want to run in all region because you only work in one. Ensure, there are security controls that raise alarms if a AWS service is used in a unwanted region.
- Enable and manage AWS Security Hub from a single master account and not individual AWS account.
- Invite an enrol (silent enrol if you need to) all your child AWS accounts to be included in a central AWS Security Hub dashboard in your master AWS account.
- Use the insights from the summary page to take appropriate actions e.g CIS non-compliant elements or the Top insights section
- Assess and use the findings in AWS Security Hub to create workflows in your organisation for triage of serious security incidents
- I found that not everything that AWS Security Hub discovers is worth taking a followup action, however, you do need to investigate to exclude/ignore a finding/insight. e.g Root user use was failing in CIS, however, I have IDP configured with MFA on root, so noone is using root user for anything.
- Access to AWS Security is provided by a Service IAM Role, which should be only given the required access nothing more.
- Review resource policies to ensure there are no untrusted third party subscription in the account incase that third party creates false incident.
- Provide security operations a feed to findings in AWS Security Hub to create workflow on security incidents to enable appropriate action based on severity of security incidents.
Every organisation should be prepared for any form of security incidents especially in a space like AWS. They should all put in place basic security controls to monitor, raise alarms in their AWS Accounts.
However, if you are not, you could use CloudTrail, Guardduty, Inspector, Macie information to create alarms with Cloudwatch events. If you have multiple AWS Accounts and you have been struggling to keep a tab on events in all the AWS Accounts then it’s easier to start with AWS Security Hub to start your security journey in AWS.
If you are a compliance driven organisation or even an organisation where DevOps work with Security to investigate and manage incidents on AWS Accounts, AWS Security Hub might be that service that brings the two teams together. #devsecops :)
Although this service is still in preview mode and this will be a useful service for gathering insights and generating workflow for AWS security incidents in your organisation but I have my reservations on whether everyone should jump on the new service bandwagon and enable it especially if you already have an existing enterprise grade security solution for AWS.
Thank you for your time. Now since you are armed with Good,Bad and Ugly of this AWS service go out in the world and create secure things.