AWS Security Hub

In addition to finding security threats in our account, Security Hub also receives data from different AWS services, such as Amazon Macie, Inspector, and GuardDuty, allowing us to fetch security issues from a single service. We can also create automated rules in Security Hub, which allow us to trigger EventBridge rules in response to some findings.

Central configuration in Security Hub

AWS Security Hub allows us to set up and manage Security Hub across multiple AWS accounts and regions from one parent account using central configuration. Through this, we don’t need to get into the hassle of setting up Security Hub across multiple accounts and managing its findings. To use central configuration, we need to integrate AWS Security Hub with AWS Organizations and select a designated administrator account.

Once we have set up the central configuration, the designated administrator can designate each account in the AWS organization as one of the following:

• Self-managed accounts: These accounts can set up and manage Security Hub settings according to their own requirements in each region.

• Centrally managed accounts: These accounts can not configure their own settings for Security Hub.

How AWS Security Hub works

Security Hub gathers data from multiple providers and manages them in such a way that it’s easier for the users to gather insights from the data. The following are the main resources Security Hub uses to gather data:

• AWS services: Security Hub gathers data from the security services we enable in our AWS account, such as Amazon Inspector, AWS Config, AWS Firewall Manager, AWS IoT Device Defender, etc.

• Third-party services: Security Hub can be integrated with third-party services such as Aqua Security – kube-bench, AttackIQ, Fugue, etc., to receive data related to security threats in our AWS account.

• Other custom integrations and findings generated by Security Hub itself.

Security Hub gathers the data it receives from the sources mentioned above and integrates them in a standard finding format. Following are some of the details available in the findings created by AWS Security Hub:

• Resource: This includes the details of the resource involved in the security threat.

• Remediations: This parameter includes a link that provides instructions on how to resolve the finding.

• Vulnerabilities: This includes the details about the vulnerabilities found in our account by the AWS Inspector. This parameter is included only if Inspector is enabled for our account.

Once a finding is generated, we have the option of setting its workflow status, which helps us to setup the status of our finding. For example, we can set the status of a finding that has been resolved to RESOLVED. Other than setting the status of a finding, we can also send a finding to Amazon EventBridge to generate events to resolve the finding. For example, we can invoke a Lambda function if a finding matches a specific criteria.

Benefits

Following are some of the benefits of using AWS Security Hub:

• Automatic security checks: Security Hub regularly runs security checks based on AWS best practices and industry standards on our AWS accounts to ensure there are no security threats and provides us with accounts and resources that require immediate attention.

• Collecting findings: Security Hub reduces the effort required to collect the findings by different AWS services, such as Macie and Inspector, and compiles these findings in a standard format.

• Automated updates: Security Hub allows us to create automation rules that can modify or update findings based on specific criteria.

• Automated remedies: Security Hub can be integrated with Amazon EventBridge which helps to automate the process of resolving the threats found by Security Hub.