AWS Security Hub. User Guide

Transcription

1 AWS Security Hub User Guide

2 AWS Security Hub: User Guide Copyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon.

3 Table of Contents What Is AWS Security Hub?... 1 Benefits of Security Hub... 1 Accessing Security Hub... 1 AWS Security Hub Terminology and Concepts... 3 AWS Security Hub Service Limits... 4 AWS Security Hub Supported Regions... 6 Setting Up AWS Security Hub... 7 Enable Security Hub... 7 Using Service-Linked Roles... 8 Service-Linked Role Permissions for Security Hub... 9 Creating a Service-Linked Role for Security Hub Editing a Service-Linked Role for Security Hub Deleting a Service-Linked Role for Security Hub Managing Access to AWS Security Hub Permissions Required to Enable Security Hub Using a Service-Linked Role to Delegate Permissions to Security Hub Using IAM Policies to Delegate Access to Security Hub to IAM Identities AWS Managed (Predefined) Policies for Security Hub Standards Supported in AWS Security Hub - CIS AWS Foundations Enabling CIS AWS Foundations Standard in Security Hub Standards Checks' Results in Security Hub CIS AWS Foundations Standard Checks Supported in Security Hub CIS AWS Foundations Standard Checks That are Not Supported in Security Hub Insights in AWS Security Hub Managed Insights Custom Insights Findings in AWS Security Hub Working with Findings in Security Hub AWS Security Finding Format AWS Security Finding Format JSON Syntax AWS Security Finding Format Attributes AWS Security Finding - Type Taxonomy Findings Providers in AWS Security Hub AWS Findings Providers Third-party Partner Findings Providers Importing Findings from Custom Products into Security Hub Managing AWS Accounts in AWS Security Hub Designating Master and Member Accounts Through Security Hub Console Disabling AWS Security Hub Logging AWS Security Hub API Calls with AWS AWS CloudTrail Security Hub Information in CloudTrail Example: Security Hub Log File Entries Automating AWS Security Hub with CloudWatch Events Creating Security Hub Custom Actions and CloudWatch Events Rules CloudWatch Events Formats for Security Hub Sending Security Hub Data to CloudWatch Events iii

4 Benefits of Security Hub What Is AWS Security Hub? Currently, AWS Security Hub is in Preview release. AWS Security Hub provides you with a comprehensive view of your security state within AWS and helps you check your compliance with the security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partners and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it immediately begins consuming, aggregating, organizing, and prioritizing findings from AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, and from AWS partner security solutions. Security Hub also generates its own findings as the result of running automated and continuous compliance checks using AWS best practices and supported industry standards (in this release, CIS AWS Foundations). Security Hub then correlates findings across providers to help you prioritize the most significant ones and consolidates these findings into actionable graphs and tables. Security Hub also allows you to create insights - collections of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention. Security Hub comes with several managed (default insights) and, in addition, you can create your own custom insights. Security Hub only detects and consolidates those security findings from the supported AWS and partner services that are generated after Security Hub is enabled in your AWS accounts. It does not retro-actively detect and consolidate security findings that were generated before Security Hub was enabled. Benefits of Security Hub Security Hub reduces the effort of collecting and prioritizing security findings across accounts, from AWS services, and AWS partner tools. The service ingests data using a standard findings format, eliminating the need for time-consuming data conversion efforts. It then correlates findings across providers to prioritize the most important findings. With Security Hub, you can run automated, continuous account-level configuration and compliance checks based on industry standards and best practices, such as the Center for Internet Security (CIS) AWS Foundations. These checks provide a compliance score and identify specific accounts and resources that require attention. Your security findings across accounts are brought together on integrated dashboards that show you the current security and compliance status. You can easily spot trends, identify potential issues, and take the necessary remediation steps. You can build customized actions and send findings to ticketing, chat, , or automated remediation systems using integration with Amazon CloudWatch Events. Accessing Security Hub You can work with Security Hub in any of the following ways: Security Hub Console Sign in to the AWS Management Console and open the Amazon Inspector console at console.aws.amazon.com/securityhub/. 1

5 Accessing Security Hub Security Hub HTTPS API You can access Security Hub and AWS programmatically by using the Security Hub HTTPS API, which lets you issue HTTPS requests directly to the service. For more information, see the AWS Security Hub API Reference. 2

6 AWS Security Hub Terminology and Concepts Currently, AWS Security Hub is in Preview release. As you get started with Security Hub, you can benefit from learning about its key concepts. Account A standard Amazon Web Services (AWS) account that contains your AWS resources. You can sign in to AWS with your account and enable Security Hub. You can also invite other accounts to enable Security Hub and become associated with your AWS account in Security Hub. If your invitations are accepted, your account is designated as the master Security Hub account, and the added accounts become your member accounts. You can then view those accounts' findings. An AWS account can't be a Security Hub master and member account at the same time. An AWS account can accept only one membership invitation. Accepting a membership invitation is optional. For more information, see Managing AWS Accounts in AWS Security Hub (p. 45). AWS Security Finding A consistent format for the contents of Security Hub-aggregated or generated findings. AWS Security Finding format enables you to use Security Hub to view and analyze findings that are generated either by AWS security services, or by third-party solutions, or by Security Hub itself as the result of running security compliance checks. For more information, see AWS Security Finding Format (p. 24). Finding Insight A potential security issue processed by Security Hub. Security Hub consumes, aggregates, organizes, and prioritizes findings from the supported AWS and third-party services, as well as generating its own findings as the result of running continuous and automated configuration checks against the rules in the supported AWS and industry best practices and standards (in this release - CIS AWS Foundations). Security Hub processes all findings using a standard format called AWS Security Finding. For more information, see Findings in AWS Security Hub (p. 22). A collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention. Security Hub offers several managed (default) insights that you cannot modify. You can also create custom Security Hub insights to track security issues that are unique to your AWS environment and usage. For more information, see Insights in AWS Security Hub (p. 17). Standard A predefined collection of rules based on the AWS and security industry best practices. In this release, Security Hub supports the CIS AWS Foundations standard. A rule is a specific compliance control or best practice. Once Security Hub is enabled, it immediately begins running continuous and automated checks on your environment's resources against the rules included in the supported and enabled standards. For more information, see Standards Supported in AWS Security Hub - CIS AWS Foundations (p. 14). 3

7 AWS Security Hub Service Limits Currently, AWS Security Hub is in Preview release. The following are AWS Security Hub limits per AWS account per region: Resource Default Limit Comments Number of Security Hub member accounts 1000 The maximum number of Security Hub member accounts that can be added per AWS account (Security Hub master account) per region. This is a hard limit. You cannot request a limit increase of Security Hub member accounts. Number of Security Hub outstanding invitations 1000 The maximum number of outstanding Security Hub member account invitations that can be sent per AWS account (Security Hub master account) per region. This is a hard limit. You cannot request a limit increase of Security Hub outstanding invitations. Security Hub finding retention time 90 days The maximum number of days a Security Hub finding is saved. This is a hard limit. You cannot request a limit increase of Security Hub finding retention time. Number of Security Hub custom insights 100 The maximum number of user-defined custom Security Hub insights that can be created per AWS account per region. This is a hard limit. You cannot request a limit increase of Security Hub custom insights. 4

8 Resource Default Limit Comments Number of insight results 100 The maximum number of aggregated results returned for the GetInsightsResults API operation. This is a hard limit. You cannot request a limit increase of insight results. 5

9 AWS Security Hub Supported Regions Currently, Security Hub is in Preview release. AWS Security Hub is supported in the following AWS regions: Asia Pacific (Mumbai) Asia Pacific (Seoul) Asia Pacific (Singapore) Asia Pacific (Sydney) Asia Pacific (Tokyo) Canada (Central) EU (Frankfurt) EU (Ireland) EU (London) EU (Paris) US East (N. Virginia) US East (Ohio) US West (N. California) US West (Oregon) South America (São Paulo) 6

10 Enable Security Hub Setting Up AWS Security Hub Currently, AWS Security Hub is in Preview release. You must have an AWS account in order to enable AWS Security Hub. If you don't have an account, use the following procedure to create one. To sign up for AWS 1. Open and then choose Create an AWS Account. Note If you previously signed in to the AWS Management Console using AWS account root user credentials, choose Sign in to a different account. If you previously signed in to the console using IAM credentials, choose Sign-in using root account credentials. Then choose Create a new AWS account. 2. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call and entering a verification code using the phone keypad. Topics Enable Security Hub (p. 7) Using Service-Linked Roles for AWS Security Hub (p. 8) Enable Security Hub To use Security Hub, you must first enable it. Use the following procedure to enable Security Hub. 1. The IAM identity (user, role, group) that you use to enable Security Hub must have the required permissions. To grant the permissions required to enable Security Hub, attach the following policy to an IAM user, group, or role: { "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "securityhub:*", "Resource": "*", { "Effect": "Allow", "Action": "iam:createservicelinkedrole", "Resource": "*", "Condition": { "StringLike": { "iam:awsservicename": "securityhub.amazonaws.com" ] 7

11 Using Service-Linked Roles 2. Use the credentials of the IAM identity from step 1 to sign in to the Security Hub console. When you open the Security Hub console for the first time, choose Get Started, and then choose Enable Security Hub. Note the following about enabling Security Hub: Security Hub is assigned a service-linked role called AWSServiceRoleForSecurityHub. This service-linked role includes the permissions and trust policy that Security Hub requires to detect and aggregate findings from Amazon GuardDuty, Amazon Inspector, and Amazon Macie, and to configure the requisite AWS Config infrastructure in order to run supported standard's (in this release, CIS AWS Foundations) compliance checks. To view the details of AWSServiceRoleForSecurityHub, on the Enable Security Hub page, choose View service role permissions. For more information, see Using Service-Linked Roles for AWS Security Hub (p. 8). For more information about service-linked roles, see Using Service-Linked Roles. By enabling Security Hub in a particular AWS account, you also, by default, enable the supported CIS AWS Foundations standard in that account. In order for Security Hub to successfully run compliance checks against the rules included in the CIS AWS Foundations standard, you must have AWS Config enabled in the account where you enabled Security Hub. (If this is a master Security Hub account, make sure to enable AWS Config in each of this master's member Security Hub accounts.) Security Hub doesn't manage AWS Config for you. If you already have AWS Config enabled, you can continue configuring its settings through the AWS Config console or APIs. If you don't have AWS Config enabled, you can enable it manually or by using the AWS CloudFormation "Enable AWS Config" template in AWS CloudFormation StackSets Sample Templates. When you turn on AWS Config's recorder, make sure to choose to record all resources supported in a given region, including global resources. For more information, see Getting Started with AWS Config. Using Service-Linked Roles for AWS Security Hub Currently, AWS Security Hub is in Preview release. AWS Security Hub uses AWS Identity and Access Management (IAM) service-linked roles. A servicelinked role is a unique type of IAM role that is linked directly to Security Hub. Service-linked roles are predefined by Security Hub and include all the permissions that Security Hub requires to call other AWS services on your behalf. A service-linked role makes setting up Security Hub easier because you don't have to manually add the necessary permissions. Security Hub defines the permissions of its service-linked role, and unless the permissions are defined otherwise, only Security Hub can assume the role. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity. Security Hub supports using service-linked roles in all of the regions where Security Hub is available. For more information, see AWS Security Hub Supported Regions (p. 6). You can delete the Security Hub service-linked role only after first disabling Security Hub in all regions where it is enabled. This protects your Security Hub resources because you can't inadvertently remove permissions to access them. For information about other services that support service-linked roles, see AWS Services That Work with IAM in the IAM User Guide and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service. 8

12 Service-Linked Role Permissions for Security Hub Service-Linked Role Permissions for Security Hub Security Hub uses the service-linked role named AWSServiceRoleForSecurityHub. It is a servicelinked role required for AWS Security Hub to access your resources. The AWSServiceRoleForSecurityHub service-linked role trusts the following services to assume the role: securityhub.amazonaws.com The role permissions policy allows Security Hub to complete the following actions on the specified resources: Action: cloudtrail:describetrails Action: cloudtrail:gettrailstatus Action: cloudtrail:geteventselectors Action: cloudwatch:describealarms Action: logs:describemetricfilters Action: sns:listsubscriptionsbytopic Action: config:describeconfigurationrecorders Action: config:describeconfigurationrecorderstatus Action: config:describeconfigrules Action: config:batchgetresourceconfig Resources: * and Action: config:putconfigrule Action: config:deleteconfigrule Action: GetComplianceDetailsByConfigRule Resources: arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub* You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For the AWSServiceRoleForSecurityHub service-linked role to be successfully created, the IAM identity that you use Security Hub with must have the required permissions. To grant the required permissions, attach the following policy to this IAM user, group, or role: { "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "securityhub:*", "Resource": "*", { "Effect": "Allow", "Action": "iam:createservicelinkedrole", "Resource": "*", "Condition": { "StringLike": { "iam:awsservicename": "securityhub.amazonaws.com" 9

13 Creating a Service-Linked Role for Security Hub ] Creating a Service-Linked Role for Security Hub The AWSServiceRoleForSecurityHub service-linked role is automatically created when you enable Security Hub for the first time or enable Security Hub in a supported region where you previously didn't have it enabled. You can also create the AWSServiceRoleForSecurityHub service-linked role manually using the IAM console, the IAM CLI, or the IAM API. The service-linked role that is created for the master Security Hub account doesn't apply to the member Security Hub accounts. For more information about creating the role manually, see Creating a Service-Linked Role in the IAM User Guide. Editing a Service-Linked Role for Security Hub Security Hub doesn't allow you to edit the AWSServiceRoleForSecurityHub service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide. Deleting a Service-Linked Role for Security Hub If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that isn't actively monitored or maintained. You must first disable Security Hub in all regions where it is enabled in order to delete the AWSServiceRoleForSecurityHub. If the Security Hub service isn't disabled when you try to delete the service-linked role, the deletion fails. For more information, see Disabling AWS Security Hub (p. 47). When you disable Security Hub, the AWSServiceRoleForSecurityHub is NOT automatically deleted. If you then enable Security Hub again, it'll start using the existing AWSServiceRoleForSecurityHub. To manually delete the service-linked role using IAM Use the IAM console, the IAM CLI, or the IAM API to delete the AWSServiceRoleForSecurityHub service-linked role. For more information, see Deleting a Service-Linked Role in the IAM User Guide. 10

14 Permissions Required to Enable Security Hub Managing Access to AWS Security Hub Topics Currently, AWS Security Hub is in Preview release. Permissions Required to Enable Security Hub (p. 11) Using a Service-Linked Role to Delegate Permissions to Security Hub (p. 11) Using IAM Policies to Delegate Access to Security Hub to IAM Identities (p. 13) Permissions Required to Enable Security Hub This section describes the permissions that various IAM identities (users, groups, and roles) must have in order to initially enable Security Hub either through the console or programmatically (using the Security Hub API or the Security Hub commands in the AWS CLI). To grant permissions required to enable Security Hub, attach the following policy to an IAM user, group, or role: { "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "securityhub:*", "Resource": "*", { "Effect": "Allow", "Action": "iam:createservicelinkedrole", "Resource": "*", "Condition": { "StringLike": { "iam:awsservicename": "securityhub.amazonaws.com" ] Using a Service-Linked Role to Delegate Permissions to Security Hub This section describes the permissions that the Security Hub itself requires in order to function. 11

15 Using a Service-Linked Role to Delegate Permissions to Security Hub When you enable Security Hub (using the Security Hub console or programmatically through the API operations or AWS CLI commands), it is automatically assigned a service-linked role called AWSServiceRoleForSecurityHub. A service-linked role is a unique type of IAM role that is linked directly to an AWS service (in this case, Security Hub). Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf. The linked service (in this case, Security Hub) also defines how you create, modify, and delete a service-linked role. For more information about service-linked roles, see Using Service-Linked Roles and Using Service- Linked Roles for AWS Security Hub (p. 8). The AWSServiceRoleForSecurityHub service-linked role is created automatically when Security Hub is enabled. It includes the permissions and the trust policies that Security Hub requires to detect and aggregate findings from Amazon GuardDuty, Amazon Inspector, and Amazon Macie, and to configure the requisite AWS Config infrastructure in order to run supported standard's (in this release, CIS AWS Foundations) compliance checks. You cannot edit the AWSServiceRoleForSecurityHub service-linked role. You can view its permissions or delete this service-linked role via the IAM console. To delete the AWSServiceRoleForSecurityHub service-linked role, you must first disable Security Hub (p. 47) in all regions in that AWS account. To view the permissions attached to AWSServiceRoleForSecurityHub, choose the View service role permissions button in the Setting/General tab of the Security Hub console. The following is the permissions policy document that is attached to the AWSServiceRoleForSecurityHub service-linked role: { "Version": " ", "Statement": [ { "Effect": "Allow", "Action": [ "cloudtrail:describetrails", "cloudtrail:gettrailstatus", "cloudtrail:geteventselectors", "cloudwatch:describealarms", "logs:describemetricfilters", "sns:listsubscriptionsbytopic", "config:describeconfigurationrecorders", "config:describeconfigurationrecorderstatus", "config:describeconfigrules", "config:batchgetresourceconfig" ], "Resource": "*", { "Effect": "Allow", "Action": [ "config:putconfigrule", "config:deleteconfigrule", "config:getcompliancedetailsbyconfigrule" ], "Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*" ] 12

16 Using IAM Policies to Delegate Access to Security Hub to IAM Identities Using IAM Policies to Delegate Access to Security Hub to IAM Identities This section describes how to delegate access to Security Hub to various IAM identities (users, groups, and roles). By default, access to the Security Hub resources is restricted to the owner of the AWS account that the resources were created in. If you are the owner, you can choose to grant full or limited access to Security Hub to the various IAM identities in your account. For more information about creating IAM access policies, see AWS Identity and Access Management (IAM). AWS Managed (Predefined) Policies for Security Hub AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These managed policies grant necessary permissions for common use cases so that you can avoid having to investigate which permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide. The following AWS managed policies, which you can attach to users in your account, are specific to Security Hub: AWSSecurityHubFullAccess provides access to all of Security Hub functionality. AWSSecurityHubReadOnlyAccess Provides read-only access to Security Hub. 13

17 Enabling CIS AWS Foundations Standard in Security Hub Standards Supported in AWS Security Hub - CIS AWS Foundations Currently, AWS Security Hub is in Preview release. In addition to consuming, aggregating, and analyzing security findings from various supported AWS and third-party providers, AWS Security Hub also generates its own findings as the result of running automated and continuous checks against the compliance rules in the supported security standards. These checks provide a compliance score and identify specific accounts and resources that require attention. Topics In this release, Security Hub supports the CIS AWS Foundations standard. For more information, see Enabling CIS AWS Foundations Standard in Security Hub (p. 14) Standards Checks' Results in Security Hub (p. 15) CIS AWS Foundations Standard Checks Supported in Security Hub (p. 15) CIS AWS Foundations Standard Checks That are Not Supported in Security Hub (p. 16) Enabling CIS AWS Foundations Standard in Security Hub When you enable Security Hub in a particular AWS account, you also, by default, enable the supported CIS AWS Foundations standard in that account. In other words, once you enable Security Hub, it immediately begins running checks on your environment's resources against the compliance rules included in the now enabled CIS AWS Foundations standard. Security Hub then generates findings based on the results of these checks. To run CIS AWS Foundations standard's compliance checks on your environment's resources, Security Hub uses AWS Config rules to evaluate the configuration settings of your AWS resources. AWS Config rules represent your ideal resource configuration settings. Therefore, when you enable Security Hub in a particular AWS account, you must also enable AWS Config in that account. Once Security Hub and AWS Config are enabled, Security Hub automatically creates the requisite infrastructure of AWS Config rules that it needs to run the CIS AWS Foundations standard's compliance checks. Note If you're working with a master Security Hub account, make sure to enable AWS Config in each of this master's member Security Hub accounts. Security Hub doesn't manage AWS Config for you. If you already have AWS Config enabled, you can continue configuring its settings through the AWS Config console or APIs. If you don't have AWS Config enabled, you can enable it manually or by using the AWS CloudFormation "Enable AWS Config" template in AWS CloudFormation StackSets Sample Templates. When you turn on AWS Config's recorder as part of enabling AWS Config, make sure to choose to record all resources supported in a given region, including global resources. 14

18 Standards Checks' Results in Security Hub For more information, see Getting Started with AWS Config. Standards Checks' Results in Security Hub Security Hub uses the AWS Security Finding Format (p. 24) format for the findings that it generates as the result of running checks against the compliance rules included in the enabled standards. For these findings, the AWS Security Finding format includes a special Compliance field that contains the standard's compliance-related findings details, including the results of the checks that Security Hub ran. The possible return values for a standard check are Passed, Failed, Warning (generated if Security Hub or AWS Config are unable to complete the check), and Not available (generated if the service whose resources are being checked is not available). If all resources in the Security Hub master account and across all member accounts passed a given check, the rule that was used for this check is considered Compliant. If one or more resources in the Security Hub master account and/or across member accounts failed a given check or received a warning about it, the rule that was used for this check is considered Noncompliant. The Compliance field displays the result of the most recent check that Security Hub ran against a given rule. The results of the previous checks are kept in an archived state for 90 days. If a subsequent check against a given rule generates a new result (for example, the status of "Avoid the use of the "root" account" changed from Failed to Passed, a new finding that contains the most recent result is generated.) If a subsequent check against a given rule generates a result that's identical to the current result, the existing finding is updated and no new finding is generated. CIS AWS Foundations Standard Checks Supported in Security Hub The following are the compliance rules included in the CIS AWS Foundations standard in Security Hub: You cannot disable individual rules within the CIS AWS Foundations standard. You can disable the entire CIS AWS Foundations standard and thus stop Security Hub from running checks against its rules and generating findings based on those checks. Avoid the use of the "root" account Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Ensure credentials unused for 90 days or greater are disabled Ensure access keys are rotated every 90 days or less Ensure IAM password policy requires at least one uppercase letter Ensure IAM password policy require at least one lowercase letter Ensure IAM password policy require at least one symbol Ensure IAM password policy require at least one number Ensure IAM password policy requires minimum length of 14 or greater Ensure IAM password policy prevents password reuse Ensure IAM password policy expires passwords within 90 days or less Ensure no root account access key exists Ensure MFA is enabled for the "root" account Ensure hardware MFA is enabled for the "root" account Ensure IAM policies are attached only to groups or roles Ensure a support role has been created to manage incidents with AWS Support 15

19 CIS AWS Foundations Standard Checks That are Not Supported in Security Hub Ensure IAM policies that allow full "*:*" administrative privileges are not created Ensure CloudTrail is enabled in all regions Ensure CloudTrail log file validation is enabled Ensure the S3 bucket CloudTrail logs to is not publicly accessible Ensure CloudTrail trails are integrated with CloudWatch Logs Ensure AWS Config is enabled in all regions Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket Ensure CloudTrail logs are encrypted at rest using KMS CMKs Ensure rotation for customer created CMKs is enabled Ensure VPC flow logging is enabled in all VPCs Ensure a log metric filter and alarm exist for unauthorized API calls Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Ensure a log metric filter and alarm exist for usage of "root" account Ensure a log metric filter and alarm exist for IAM policy changes Ensure a log metric filter and alarm exist for CloudTrail configuration changes Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Ensure a log metric filter and alarm exist for S3 bucket policy changes Ensure a log metric filter and alarm exist for AWS Config configuration changes Ensure a log metric filter and alarm exist for security group changes Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Ensure a log metric filter and alarm exist for changes to network gateways Ensure a log metric filter and alarm exist for route table changes Ensure a log metric filter and alarm exist for VPC changes Ensure no security groups allow ingress from /0 to port 22 Ensure no security groups allow ingress from /0 to port 3389 Ensure the default security group of every VPC restricts all traffic CIS AWS Foundations Standard Checks That are Not Supported in Security Hub The following are the compliance rules that are NOT supported in the CIS AWS Foundations standard in Security Hub: Ensure security questions are registered in the AWS account Maintain current contact details Ensure security contact information is registered Ensure IAM instance roles are used for AWS resource access from instances Do not setup access keys during initial user setup for all IAM users that have a console password Ensure routing tables for VPC peering are "least access" 16

20 Insights in AWS Security Hub Currently, Security Hub is in Preview release. A Security Hub insight is a collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention. Security Hub offers several managed (default) insights that you cannot modify or delete. You can also create custom insights to track security issues that are unique to your AWS environment and usage. Topics Managed Insights (p. 18) Custom Insights (p. 19) Use the following procedure to manage your Security Hub insights. You cannot edit or delete managed (default) Security Hub insights. To manage insights 1. Open the Security Hub console at 2. In the navigation pane, choose Insights. 3. To update insights' filters, choose the insight that you want to modify and then do the following: Use the Filter field to select one attribute for the Group by aggregator for this insight, and one or more attributes from the available attribute list as the optional filters for this insight. The Group by aggregator and the optional filters define what findings are to be included in this insight. Choose Apply for every filter you select. You can use one of the following attributes as the Group by aggregator: You can only have one Group by aggregator in a Security Hub insight. AwsAccountId CompanyName ComplianceStatus GeneratorId MalwareName ProcessName ThreatIntelIndicatorType ProductArn ProductArn ProductName RecordState ResourceAwsEc2InstanceImageId ResourceAwsEc2InstanceIpV4Addresses ResourceAwsEc2InstanceIpV6Addresses ResourceAwsEc2InstanceKeyName ResourceAwsEc2InstanceSubnetId 17

21 Managed Insights ResourceAwsEc2InstanceType ResourceAwsEc2InstanceVpcId ResourceAwsIamAccessKeyUserName ResourceAwsS3BucketOwnerName ResourceContainerImageId ResourceContainerImageName ResourceContainerName ResourceId ResourceType SeverityLabel SourceUrl Type VerificationState WorkflowState You can use all of the AWS Security Finding format's attributes as optional filters for your insights. For the complete list of AWS Security Finding attributes and their descriptions, see AWS Security Finding Format (p. 24). When you're finished selecting the Group by aggregator and optional filters for your insight, choose Create insight. In the Create/Update insight pop up window, choose either Update insight to save the changes you made to the existing insight you are modifying. Or choose Create insight to save the changes you made as a new custom insight. Specify the name for the new custom insight and then choose Ok. If you're modifying the filters and the Group by aggregator of a managed insight, you can only save your changes as the new custom insight. You cannot update the filters and the Group by aggregator of a managed insight. To delete an insight, chose the 'More options' icon in an insight's tile, and then choose Delete. You can only delete custom insights. You cannot delete managed insights. 4. To apply default (Archive) and custom actions to an insight, choose that insight (either managed or default), then choose one or more insight results' checkboxes, then expand the Actions menu, and choose either Archive or one of the existing custom actions. Note You can create Security Hub custom actions to automate Security Hub with AWS CloudWatch Events. For more information and detailed steps on creating custom actions, see Automating AWS Security Hub with CloudWatch Events (p. 51). Managed Insights Currently, Security Hub is in Preview release. In the current release, Security Hub offers the following managed (default) insights: You cannot edit or delete managed (default) Security Hub insights. AWS resources with the most findings 18

22 Custom Insights S3 buckets with sensitive data and public read permissions Resources that have a vulnerability or configuration issue and are involved in potential malicious behavior EC2 instances with vulnerabilities and open to the internet AMIs that are generating the most findings AWS resources that don't meet security standards / best practices AWS resources associated with potential data exfiltration AWS resources associated with unauthorized resource consumption AWS Users with the most suspicious activity S3 buckets with public write or read permissions S3 buckets that don't meet security standards / best practices S3 buckets with sensitive data Credentials that may have leaked EC2 instances that allow password authentication on SSH and SSH port and are open to the internet EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs) EC2 instances that have missing security patches for important vulnerabilities EC2 instances with general unusual behavior EC2 instances that have ports accessible from the Internet EC2 instances that don't meet security standards / best practices EC2 instances with anonymized connections EC2 instances that are open to the internet EC2 instances associated with adversary reconnaissance AWS resources that are associated with malware AWS resources associated with cryptocurrency issues AWS resources with unauthorized access attempts Threat intel indicators with the most hits in the last week Custom Insights Currently, Security Hub is in Preview release. Use the following procedure to create custom Security Hub insights to track security issues that are unique to your AWS environment and usage. 1. Open the Security Hub console at 2. In the navigation pane, choose Insights. 3. To start creating a new insight, you can either choose Create insight or you can select one of your existing managed or custom insights. If you choose the Create insight button, you can use the currently empty Filter field to specify the Group by aggregator and the optional filters that will define what findings are to be included in this insight. If you choose an existing insight, you can use the Filter field to edit the Group by aggregator and the optional filters that will define what findings are to be included in this insight. You can then save these changes as the new custom insight. Note For optional filters, AND logic is applied to your specified collection of filters to query your findings. However, OR logic is applied to multiple filters that use the same attribute set to different values. 19

23 Custom Insights 4. Once you completed the step above, you can use the Filter field to select one attribute for the Group by aggregator for this insight, and one or more attributes from the available attribute list as the optional filters for this insight. Choose Apply for every filter you select. You can use one of the following attributes as the Group by aggregator: You can only have one Group by aggregator (one attribute/value pair) in a Security Hub insight. AwsAccountId CompanyName ComplianceStatus GeneratorId MalwareName ProcessName ThreatIntelIndicatorType ProductArn ProductArn ProductName RecordState ResourceAwsEc2InstanceImageId ResourceAwsEc2InstanceIpV4Addresses ResourceAwsEc2InstanceIpV6Addresses ResourceAwsEc2InstanceKeyName ResourceAwsEc2InstanceSubnetId ResourceAwsEc2InstanceType ResourceAwsEc2InstanceVpcId ResourceAwsIamAccessKeyUserName ResourceAwsS3BucketOwnerName ResourceContainerImageId ResourceContainerImageName ResourceContainerName ResourceId ResourceType SeverityLabel SourceUrl Type VerificationState WorkflowState You can use all of the AWS Security Finding format's attributes as optional filters for your insights. For the complete list of AWS Security Finding format attributes and their descriptions, see AWS Security Finding Format (p. 24). 5. When you're finished selecting the Group by aggregator and optional filters for your insight, choose Create insight Specify the name for the new insight and then choose Ok.

24 Custom Insights Note You can also save the changes that you made to an existing custom or managed insight as a new custom insight. For more information, see To manage custom insights procedure in Insights in AWS Security Hub (p. 17). 21

25 Working with Findings in Security Hub Findings in AWS Security Hub Currently, AWS Security Hub is in Preview release. AWS provides the most secure cloud computing environment available in which you can run your workloads, enabling you to access various AWS and partner security, identity, and compliance tools, including firewalls, endpoint and intrusion detection, and database security, vulnerability and compliance scanners. These tools can generate thousands of security findings every day. These findings all have different finding formats and can be stored and viewed across different consoles. To understand your overall security and compliance state, you'd have to either continuously manually pivot across these tools or develop ways to aggregate and analyze the generated findings. With large workloads and environments, processing and analyzing this data can take hundreds of hours of building parsers, transformers, custom compliance rules, and data enrichment pipelines. Even then, the volume of the findings can sometimes be more than you can effectively process. Therefore it can be difficult to separate potential security issues from noise, to prioritize the findings that matter to you most, and to ensure that you aren t missing any critical findings. Security Hub eliminates this complexity and reduces the effort required to manage and improve the security and compliance of all of your AWS accounts and workloads. Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and also from the integrated partner providers' solutions. Security Hub ingests these findings using a standard findings format called AWS Security Finding, thus eliminating the need for time-consuming data conversion efforts. It then correlates ingested findings across providers to prioritize the most important ones. For more information, see AWS Security Finding Format (p. 24). Topics Working with Findings in Security Hub (p. 22) AWS Security Finding Format (p. 24) Findings Providers in AWS Security Hub (p. 41) Working with Findings in Security Hub You can use the following procedure to view and manage findings in Security Hub: 1. Open the Security Hub console at 2. In the navigation pane, choose Findings. By default, the Findings page lists all of your active Security Hub-processed and generated findings (the Record state filter attribute is preselected by default and its value is set to ACTIVE). You can update the value of the Record state filter attribute to ARCHIVED to view only your archived findings. You can also remove this filter attribute to view all of your active and archived findings. 3. Use the Filter field to select one attribute for the Group by aggregator and one or more filter attributes from the available attribute list to query through your findings. You can use one of the following attributes as the Group by aggregator: AwsAccountId 22

26 Working with Findings in Security Hub CompanyName ComplianceStatus GeneratorId MalwareName ProcessName ThreatIntelIndicatorType ProductArn ProductArn ProductName RecordState ResourceAwsEc2InstanceImageId ResourceAwsEc2InstanceIpV4Addresses ResourceAwsEc2InstanceIpV6Addresses ResourceAwsEc2InstanceKeyName ResourceAwsEc2InstanceSubnetId ResourceAwsEc2InstanceType ResourceAwsEc2InstanceVpcId ResourceAwsIamAccessKeyUserName ResourceAwsS3BucketOwnerName ResourceContainerImageId ResourceContainerImageName ResourceContainerName ResourceId ResourceType SeverityLabel SourceUrl Type VerificationState WorkflowState All of the AWS Security Finding format's attributes can be used as filters to query through your findings. Note For optional filters, AND logic is applied to your specified collection of filters to query your findings. However, OR logic is applied to multiple filters that use the same attribute set to different values. For the complete list of AWS Security Finding attributes and their descriptions, see AWS Security Finding Format (p. 24). 4. Choose a finding's title to view this finding's detail pane. Once the finding's detail pane is displayed, choose the finding ID to view the complete details JSON of that finding. 5. To apply default (Archive) and custom actions to findings, choose one or more findings' checkboxes, then expand the Actions menu, and choose either Archive or one of the existing custom actions. Note You can create Security Hub custom actions to automate Security Hub with AWS CloudWatch Events. For more information 23 and detailed steps on creating custom actions, see Automating AWS Security Hub with CloudWatch Events (p. 51).

27 AWS Security Finding Format AWS Security Finding Format Currently, Security Hub is in Preview release. Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and also from the integrated partner providers' solutions. Security Hub ingests these findings using a standard findings format called AWS Security Finding, thus eliminating the need for time-consuming data conversion efforts. It then correlates ingested findings across providers to prioritize the most important ones. Topics AWS Security Finding Format JSON Syntax (p. 24) AWS Security Finding Format Attributes (p. 26) AWS Security Finding - Type Taxonomy (p. 39) AWS Security Finding Format JSON Syntax The following is the syntax of the complete finding JSON presented in the AWS Security Finding format: "Findings": [ { "AwsAccountId": "string", "Compliance": { "Status": "string", "Confidence": number, "CreatedAt": "string", "Criticality": number, "Description": "string", "FirstObservedAt": "string", "GeneratorId": "string", "Id": "string", "LastObservedAt": "string", "Malware": [ { "Name": "string", "Path": "string", "State": "string", "Type": "string" ], "Network": { "DestinationDomain": "string", "DestinationIpV4": "string", "DestinationIpV6": "string", "DestinationPort": number, "Direction": "string", "Protocol": "string", "SourceDomain": "string", "SourceIpV4": "string", "SourceIpV6": "string", "SourceMac": "string", "SourcePort": number, "Note": { "Text": "string", "UpdatedAt": "string", "UpdatedBy": "string" 24

28 AWS Security Finding Format JSON Syntax, "Process": { "LaunchedAt": "string", "Name": "string", "ParentPid": number, "Path": "string", "Pid": number, "TerminatedAt": "string", "ProductArn": "string", "ProductFields": { "string" : "string", "RecordState": "string", "RelatedFindings": [ { "Id": "string", "ProductArn": "string" ], "Remediation": { "Recommendation": { "Text": "string", "Url": "string", "Resources": [ { "Details": { "AwsEc2Instance": { "IamInstanceProfileArn": "string", "ImageId": "string", "IpV4Addresses": [ "string" ], "IpV6Addresses": [ "string" ], "KeyName": "string", "LaunchedAt": "string", "SubnetId": "string", "Type": "string", "VpcId": "string", "AwsIamAccessKey": { "CreatedAt": "string", "Status": "string", "UserName": "string", "AwsS3Bucket": { "OwnerId": "string", "OwnerName": "string", "Container": { "ImageId": "string", "ImageName": "string", "LaunchedAt": "string", "Name": "string", "Other": { "string" : "string", "Id": "string", "Partition": "string", "Region": "string", "Tags": { "string" : "string", "Type": "string" 25

29 AWS Security Finding Format Attributes ] ], "SchemaVersion": "string", "Severity": { "Normalized": number, "Product": number, "SourceUrl": "string", "ThreatIntelIndicators": [ { "Category": "string", "LastObservedAt": "string", "Source": "string", "SourceUrl": "string", "Type": "string", "Value": "string" ], "Title": "string", "Types": [ "string" ], "UpdatedAt": "string", "UserDefinedFields": { "string" : "string", "VerificationState": "string", "WorkflowState": "string" AWS Security Finding Format Attributes The following table provides descriptions and examples for the AWS Security Finding format attributes: Attribute Required Updatable Description AwsAccountId Yes No The AWS account ID in which a finding is generated. "AwsAccountId": " " Compliance No Yes Exclusive to findings that are generated as the result of a ch Foundations). Contains compliance-related finding details. "Compliance": { "Status": "PASSED" PASSED All resources that were checked evaluated in c WARNING There is configuration information that nee FAILED All resources that were checked failed the chec Compliance.Status No Yes Indicates the result of a compliance check. Allowed values are: 26

30 AWS Security Finding Format Attributes NOT_AVAILABLE The check could not be performed d "Status": "PASSED" Confidence No Yes A finding's confidence. Confidence is defined as the likelihoo identify. Confidence is scored on a basis using a ratio "Confidence": 42 CreatedAt Yes No An ISO8601-formatted timestamp that indicates when the p provider. "CreatedAt": " T13:22:13.933Z" Criticality No Yes The level of importance assigned to the resources associated score of 100 is reserved for the most critical resources. "Criticality": 99 Description Yes Yes A finding's description. "Description": "The version of openssl found on in FirstObservedAt No Yes An ISO8601-formatted timestamp that indicates when the p provider. FirstObservedAt": " T13:22:13.933Z" 27